ACS v4.0 - Appliance vs. Server

Similar Messages

• ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

  Hello,
  I have ACS 4.2.0.124.15   installed on a windows server 2008.
  In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the  ethernet interface of the server.
  Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
  Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x.  And I need to reconfigure the real static adresse each time.
  Do you knows this problem. Is it a way to avoid it ?
  Michel Misonne

  Hello,I have ACS 4.2.0.124.15   installed on a windows server 2008.In
  the configuration menu : network config > AAA server , the
  AAA-server-IP-address change to 169.254.x.x each time I disconnect the
  ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
  I reconnect the ethernet interface of the server, it stays in
  169.154.x.x.  And I need to reconfigure the real static adresse each
  time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
  Hi Michel,
  It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
  http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
  HTH
  Ganesh.H

• Is it posible? two ACS 4.2 Appliance with the same remote agent

  Hello,
  I have a ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent, i want to agregate another ACS 4.2 Appliance with the same configuration, the same Active Directory, CA. my question is: can i configure the another ACS with the same Remote Agent of the first? in other words ...
  i attach the diagram.
  Thank you

  I have a
  ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent,
  i want to agregate another ACS 4.2 Appliance with the same
  configuration, the same Active Directory, CA. my question is: can i
  configure the another ACS with the same Remote Agent of the first? in
  other words ...i attach the diagram.Thank you
  Hi,
  Maximum number of appliances supported—While a single Cisco Secure ACS Remote Agent can provide services to many Cisco Secure ACS Appliances, support is limited to five concurrent connections by the appliances served. For example, if you have three appliances that are primary Cisco Secure ACSes and three appliances that are secondary Cisco Secure ACSes used for failover purposes only, the remote agent can provide services to all six appliances and stay below the maximum of five concurrent connections.
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_guide_chapter09186a0080193aa1.html
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• NAC Appliance 3350 Server

  Hi ,
  Facing issue with NAC Appliance 3350 Server where we are trying to login via a user configured on newly migrated ADserver win 2008 .
  This AD server was on 2003 where on same NAC its working fine . I am not much in NAC so need your help .
  ========
  Thanks 4 reply

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• What does acs 4.1 appliance join a domain????

  Hi all!
  I'm first do acs 4.1, i have a problem as What does acs 4.1 appliance join a domain????
  I lab with acs 4.1 on window server 2003 is ok, but when work with acs 4.1 appliance, i don't know join domain for this appliance so not use window database
  I want setup window database but not successful
  Please help me !!!!!!!
  thanks very much

  Hi,
  Use ACS appliance remote agent:
  ACS SE remote agent installation guide:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/remote_agent/ra.html
  ACS SE RA:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/LgsRpts.html#wp638135

• EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

  I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
  If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

  A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

• Unable to register a secondary ACS 5.2 appliance

  Hello,
       I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
  This System Failure occurred:  Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
  I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
  Am I doing anything wrong?
  Is there any LOG I can check to troubleshoot this?
  Thanks a lot!!!
  Regards,
  Julio

  I finally found the problem. I was using admin user (super user priviledges). I created another user with all permissions and it worked.
  Thanks a lot.

• Change IP Address ACS 4.2 Appliance

  Hello,
  I have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both of then working OK and Remote Agent, but we want to change the IP Address of the ACS 4.2 Appliance, What is the procedure to do this? have i install the certified again? i know that certified depend of hostname and ip address.
  Thank You
  Álvaro

  Hello,I
  have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both
  of then working OK and Remote Agent, but we want to change the IP
  Address of the ACS 4.2 Appliance, What is the procedure to do this?
  have i install the certified again? i know that certified depend of
  hostname and ip address.Thank YouÁlvaro
  Hi Alvaro,
  Best take the  serial console of the ACS Appliance and type set ip and follow the procedure to change the ip address
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• ACS 4.2 appliance external database configuration with AD

  Dear All,
  How to configure external database in ACS 4.2 appliance for Windows Active Directory.Active Directory is configured in Windows 2012.ACS internal database is working fine without interruption.What configuration is requred to configure external database(Active Directory).It would be highly appreciated if you share your experience with me.
  Thanks,
  AS

  Please check
  Supported Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.2
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/device/guide/sdt42.html

• How to manage the Cisco ACS 3.3 from ciscoworks server ?

  i have ACS 3.3 server appliance and want to manage it from the ciscoworks server .i wanted to see it in the campus manager and can i manage ite inventory ?
  Cisco Secure Access Control Server Solution Engine.

  Hai,
  Yes absolutely right. ACS appliance cannot be managed since SNMP cannot be enabled in ACS.
  I tried but after raising TAC case with Cisco they told it is not possible.
  In campus manager u cannot view the cisco devices ACS,NIDS and PIX firewall
  Hope this information is useful

• Passed Authentication Logs on ACS 4113 SE appliance

  I need to get a copy of all Passed Authentication logs from our appliance. Is there a way that I can ftp all those files to another device? Or is there another way that I can retrieve those files?
  Thanks
  Dwane

  Dwane,
  Yes, you can send logs to another system on the network using remote agent.
  Remote Logging for ACS SE with ACS Remote Agents
  The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.
  For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1
  Regards,
  ~JG
  Do rate helpful posts

• ACS 4.2 Appliance integration with LDAP

  Hi,
  I would like to ask some question from the expert here.
  1. I'm building 802.1x infra for my customer.
  2. We are using ACS SE version 4.2
  3. We have successfully integrate the ACS with AD using Remote Agent.
  4. Using will authenticate using PEAP MS-CHAP v2.
  5. However, my customer dont want to use Remote Agent (RA) because the want the ACS talk to the external database directly.
  6. Their argument is, if they bought other Radius appliance for this project, the appliance should have the same function in order to authenticate the user.
  7. What are needed to complete this requirement?
  I saw in this table http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274 the LDAP does not support PEAP MS-Chap v2.
  Can any expert give opinion on this issue?

  Despite various efforts a few years back, LDAP vendors could not be persuaded to implement an MSCHAP interface - which is technically possible.
  That said ACS also has its Windows External Authenticator that will do MSCHAP just fine to a Windows AD Server (via a different interface).
  The old LEAP protocol was mschap inside EAP. EAP-FAST can also do mschap too.
  The key is not use the LDAP authenticator in ACS. If you really must use it, you'll have to make sure you use EAP-GTC inside your PEAP/FAST tunnel

• ACS 4.2 Appliance and Windows Agent

  Hi
  Wonder if any one has an idea on this?
  We have two ACS, 1 windows and 1 appliance.
  The appliance is the primary ACS.
  The other night all our wireless devices failed to authenticate.  We tracked this down to the Windows server with the ACS Agent on it for the appliance.
  The error was failed to bind to domain server down, which found an AD server ran out of memory.
  Becouse the wireless controllers could see the appliance still, it didn't fail over to the secondary.
  I was wondering is there a configuration where if it fails on one ACS it trys authenticate on the second ACS?
  Alternative is to replace the appliance with a windows box so no need to use the agent.
  Answers on a post card :-)
  Cheers
  Craig

  Hi Craig,
  Unfortunately, the authentication request will not fall on fallback if the primary is still up.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• ACS 4.1 Appliance

  I cant ping my ACS but i can access it through the web browser this prevents me from setting up a connection between the appliance and my ftp server for backups. When i console to the device and attempt to do backups manually i get an error message saying that it could not establish connection with the FTP server. I can ping any device on my network from the Appliance but not the other way..any suggestions on how to do backups for the appliance.

  I can access my appliance both through the web browser and the CLI,the only thing im having a problem with is the connection between the appliance and my FTP server,it keeps giving me an error about not being able to resolve a IP or Hostname,I've specified a DNS server on the device and when im on the CLI i can ping devices using both their hostnames and IP's,when i do backups from the CLI they go to the CSUtils folder on the program files and i cant event access this folder on the appliance.

• User-changeable Passwords issue f/ ACS 4.0 on Windows Server 2003

  I am having an issue with the UCP website not functioning correctly. I have installed it from the ACS 4.0 CD, following the instructions from the Cisco.com website, but cannot get past the Login page. Users can get to the Login page, but after they enter their information (username / password) and click Login, the server returns the following error page: "CGI Error. The apecified CGI application misbehaved by not returning a complete set of HTTP headers."
  I cannot get past this page. I have verified that the website is installed as outlined in the Cisco procedure, and have re-installed twice to verify. I have granted Everyone Write and Execute permissions to the site directories, and granted the Virtual Directories Script and Executable access.
  Any help on this would be greatly appreciated. I am evaluating ACS 4.0 for deployment in our company, and UCP not working is a major stumbling block.
  Additional configuration information:
  Windows Server 2003 SP1, patched current to 8/29/06
  The ACS server is also running on this server; it was installed and tested first, before installing UCP.
  Thanks,
  John

  Change the user that runs CSusercgi.exe to Administrator.Refer the following steps Install UCP 4 on a machine that runs IIS server,Open IIS manager,Locate Default Web Site, Double click on the virtual name 'securecgi-bin',Right click on CSusercgi.exe and choose Properties,Choose 'File Security' tab,Choose 'Edit' in 'Authentication and access control' area,Change username from IUSR_ to 'Administrator' and enter his password.