Adding Users on Cisco Secure ACS Solution Engine 3.3

We have a large block of userids we need to add to our ACS 3.3 Solution Engine into the CiscoSecure User Database. When using the web-based GUI, it looks like you can only add one user at a time. Is there anyway to add users as a block with some type of command line, or is there a utility that will add users and also copy user options? It would be helpful if in the Add/Edit user panel, there was the ability to copy settings from a previously installed user definition.

I'm not sure that csutil would setup all the parameters I need, so I would have to choose CSDBSync. Tacacs is used and not Radius. I need the user to initially be configured disabled, specify his/her real name and description, assign the user to a group, assign a PAP password and confirmation, use group settings for callback, client ip address assignment, and max sessions, establish a date to automatically disable the account, provide no enable privileges, and set a Tacacs+ Outbound password.

Similar Messages

  • Manage a Cisco Secure ACS Solution Engine?

    Hello,
    how can i manage/observe a 'Cisco Secure ACS Solution Engine'? Ich found no things like SNMP etc.
    regards
    Karsten

    Hi,
    you have no chance to control the ACS SE with snmp. We have one router, access via ACS and uses a script roboter to control the access to the router. If the access fails, we send us an email
    Bye Michael

  • Cisco Secure ACS Solution engine v3.2

    The ACS Soultion Engine appliance hardware by default comes with two NICs. Can I configure it so one Nic be on VLAN 30 and the other Nic be on VLAN 50?
    VLAN 30 - will be the network that communicate or forward credential to ACS Remote Agent for Windows authentication.
    VLAN 50 - will be for network devices authetication. RAIDUS or TACAUS.

    This is not possible as only one nic works at a time . ( Check for Back Panel features)
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1046176
    Regards,
    Jasjeet

  • Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.

    Hello,
    I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.x

    Hi,
    Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
    Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
    The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
    Regards,
    Karthik Chandran
    *kindly rate helpful post*

  • Cisco Secure ACS 4.0 Solution engine problem

    Hi,
    I have a probleme with a Cisco Secure ACS 4.0 Solution Engine (CSACSE-1113-K9).
    I try to power up the engine, but the light in the power button stay blinking all the time. Anyone have a idea why ?
    Last week, I boot it for the first time (It's brand new), every things goes fine.
    I made " shutdown " then wait the message to press 4 seconds power button to turn it off. This morning, nothing come up.
    I see one thing in the console "Press <SpaceBar> to update BIOS." after that, blank. No bios detection, no harddrive dectection, no windows boot.
    Any idea ?
    Thank you

    No, I'm sur.
    Then we have version 1113 of ACS.
    See: http://www.cisco.com/application/pdf/en/us/guest/products/ps6731/c2001/ccmigration_09186a008068f7bd.pdf
    Page 32(1-8) #2.
    I let the engine off about 6hours after my first post, then I try back. The engine start.
    What can cause this problem ?

  • Reporting & Audit Compliance Solutions for Cisco Secure ACS

    The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
    extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
    We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
    Featured Products:
    * aaa-reports! enterprise edition - Automated Reporting
    The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
    With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
    For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
    * csvsync - Automated ACS Database & Log File Collection
    csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
    Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
    Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

    bump

  • With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

    Hello Everybody,
    I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
    I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
    Thanks in advance and regards....

    Hello Scott,
    Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
    Thanks and regards...

  • Maximum users on ACS Solution Engine 3.3

    Hello,
    I need to know the maximum supported number of users in the local database of the CiscoSecure ACS Solution Engine 3.3 (the appliance) ?
    Is there a document about this ?
    Thank you !
    Patrice

    The client version of Mac OS X supports a maximum of 10 AFP clients. It's always been that way.
    If you want more than 10 AFP clients you need to move to Mac OS X Server (unlimited) which can support any number of concurrent users.

  • User $enable15$ in Cisco Secure ACS

    Hi all,
    I have a Cisco Secure ACS server, by default it has a username called "$enable15$"; I am using TACACS as the authentication protocol.
    The question is if I need the $enable15$ user configured in the ACS server even if I am using TACACS as the authentication protocol. I want to delete it but I am not sure if it is possible.
    regards
    Regards.

    Group Setup, select the group and click on edit settings and scroll down to "Cisco IOS/PIX 6.x RADIUS Attributes" and enable "cisco-av-pair" and enter shell:priv-lvl=15.

  • Import user and group from dump.txt to ACS Solution Engine 3.3

    I have export the user and group using the CSUtil -d on my acs v2.6. But ACS Solution Engine 3.3 does not have the CSUtil command to import the user and group database. Can anyone advise me?

    I'm trying to do the same thing with no luck so far.
    Documentation seems to indicate you can do this using RDBMS Synchronization but we haven't got it to work yet.
    I read the doco as saying you create a csv and place it on an FTP server and ACS will read from that file. When we've tried, it rights its own file with a different extension and says it can't find the one we place in that same directory.

  • Cisco Secure ACS 4.2 with Oracle

    hi there...
    Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
    The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
    My questions :
    1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
    2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
    Please advice.
    Thanks

    Microsoft SQL Server and Case-Sensitive Passwords
    If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
    For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
    For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
    Sample Routine for Generating a PAP Authentication SQL Procedure
    The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                             sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                             GO
                             CREATE PROCEDURE CSNTAuthUserPap
                             @username varchar(64), @pass varchar(255)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username
                             AND  csntpassword  = @pass )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                             GO
    Sample Routine for Generating an SQL CHAP Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                             and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                             GO
                             CREATE PROCEDURE CSNTExtractUserClearTextPw
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                             GO
    Sample Routine for Generating an EAP-TLS Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                             sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                             GO
                             CREATE PROCEDURE CSNTFindUser
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                             GO
    Reference:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

  • Cisco Secure ACS with UCP assistance and enable password

    I am running Cisco Secure ACS version 4.2 running on a
    Standalone Windows 2003 Enterprise 2003with the lastest
    windows service pack and update. Secure ACS is running
    fine and I can authenticate with Cisco routers and
    switches. The Windows 2003 server is also running Microsoft
    IIS Server. In other words, the IIS server and Cisco
    Secure ACS is running on the same windows 2003 server.
    I am trying to get Cisco User-Changeable password to work
    with Cisco Secure ACS. I followed the release notes lines
    by lines and the work around provided below:
    Also server require more privileges for the internal windows user that runs CSusercgi.exe.
    The name of the windows user that runs UCP is IUSR_<machine_name>.
    Workaround steps:
    1) Install UCP 4 on a machine that runs IIS server.
    2) Open IIS manager
    3) Locate Default Web Site
    4) Double click on the virtual name 'securecgi-bin'
    5) Right click on CSusercgi.exe and choose Properties
    6) Choose 'File Security' tab
    7) Choose 'Edit' in 'Authentication and access control' area
    8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
    password (make sure that 'Integrated Windows authentication' is checked)
    I still can NOT get this to work. I got this error:
    It says:
    The page cannot be found
    The page you are looking for might have been removed,
    had its name changed, or is temporarily unavailable.
    HTTP Error 404 - File or directory not found.
    Internet Information Services (IIS)
    I modified everything in the Windows 2003 to be "ALLOWED" by
    EVERYONE. In other words, there are NO security on the windows 2003.
    It is still NOT working.
    The other question I have is that can Cisco UCP allow user
    to change his/her enable password?
    Can someone help? Thanks.

    Yes bastien,
    Thank you.
    But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
    I've given it several time; also going through Administrator account with administrative credentials but it always failed.
    Any suggestions/solution/?
    This time many thanks in advance.
    Regards
    Mehdi Raza

  • Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

    To Whomever Can Assist,
          I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

    Bradbryant.dhs,
    Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
    Internal user and ACS administrator accounts are completely different. 
    Adding administrator account
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
    Regards,
    Jatin Katyal
    ** Do rate helpful posts **

  • Unauthorized device logging in via Cisco Secure ACS 3.2

    We have the Cisco Secure ACS v 3.2. There is a devices that we recently discovered is not added into the network configuration on the ACS. This device running IOS 12.2(29) does have all of the correct tacacs settings that should allow it to authenticate via Tacacs.
    So basically, the ACS is allowing users to use this device to login, even though it's not in the Network Config.
    When we look at the Logged-in Users report, it show the host name as "Tacacs+ Default". We aren't sure what that is supposed to mean, and why it's allowing it.
    Thank You for your time,
    Andrew

    Andrew,
    Make sure that you not using any Wildcards inplace to IP address in network configuration. Eg using 192.168.*.*
    This will open tacacs request from whole network 192.168
    Also check the passed attempts and check the NAS IP address from the where the request is coming. Search for that IP in network configuration and see if that IP belong to that switch in question. L3 switch can have multiple ip address.
    If that IP belong to that swtich , then you need to take that out from network configuration.
    Regards,
    ~JG
    Do rate helpful posts

  • Features of Cisco Secure ACS Appliance

    Hi,
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Normale Tabelle";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
    There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
    The questions I wasn’t able to answer are:
    •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
    •     What happens if the server(s) fail?
                o     Can already authorized users still work?
                o     Can known users still be authorized?
                o     Are unknown users still blocked?
    •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
    •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
    •     Is there (besides of the reports) some kind of status overview with the ACS?
    •     Which kinds of Attacks can the ACS (alone) prevent?
                o     Can it prevent MAC Spoofing?
                o     Can it prevent MAC Flooding?
                o     Can it prevent ARP Attacks?
                o     Can it prevent IP Spoofing?
                o     Can it eliminate rouge DHCP servers?
                o     Can it prevent STP Attacks
    •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
    Thanks for all answers.
    Regards,
    taouri

    See inline answers:
    The questions I wasn’t able to answer are:
    •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
    Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
    •     What happens if the server(s) fail?
                o     Can already authorized users still work?
    This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
                o     Can known users still be authorized?
    In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
                o     Are unknown users still blocked?
    Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
    •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
    Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
    •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
    Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
    •     Is there (besides of the reports) some kind of status overview with the ACS?
    Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
    •     Which kinds of Attacks can the ACS (alone) prevent?
    ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
                o     Can it prevent MAC Spoofing?
                o     Can it prevent MAC Flooding?
                o     Can it prevent ARP Attacks?
                o     Can it prevent IP Spoofing?
                o     Can it eliminate rouge DHCP servers?
                o     Can it prevent STP Attacks
    •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
    This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
    http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

Maybe you are looking for

  • 2 business phones to share 1 itunes?

    My wife and I have iPhones for work purposes.  My wife has a 4S and has built up a bit of a library in iTunes.  I have recently received a 5 through my work which has an ID set up based on work email, etc. So neither of us are allowed to share the bu

  • Completed an album on Mac, won't show on iPhone

    So We The Kings had released four singles from their new CD which I bought. Tonight, they released the entire CD and I did the "Complete my album" option. The singles did not go onto the album, so I went into their info and changed their Album name t

  • Receiving Transaction in MT

    when user enter DFF at Receiving transaction, but this DFF doesn't show in material transaction. Is there any configuration? Edited by: user9092987 on Jul 4, 2011 10:06 PM

  • Ios 6 doesnt display contacts via bluetooth in car

    IOS 6 doesnt display my contacts in my car Radio via blutooth yet it can recieve and make calls? does anyone know how to fix this ? its a brand new car btw

  • Material ledger regarding

    Hi, For a plant completed the cost object controlling & ML activation setting, when we check in CKM9 - check report, system does not activate the "Integrated with Cost Object Controlling" flag. Can u some one explain how to rectify the same?. Thanks