Base DN in ACS 4.2

Similar Messages

• ACS 5.4 change base license

  Hi all,
  I was wondering if there is a way to actually change the base license in an ACS deployment. I know this isn't the recommended approach to accomplish what I wanted to do but I'd appreciate if someone could tell me how to do it if possible.
  I need to add an ACS to a distributed deployment so instead of building the new ACS server from scratch, I decided it would have been a good idea to simply clone the machine and change the IP address. All was well until I tried to add it to the primary and I got an error saying that they have the same license file applied. When I go to the license section, there's no place for me to change the license.
  The reason I didn't rebuild it from scratch is that the person I was working with no longer had the ISO and their Internet connection is very slow.
  Does the acs reset-config command remove the license as well or just the policies, etc? Maybe I could do a config backup and reset it, then load the new policies?
  Regards,
  Xavier

  Here are the steps for upgarding/replacing ACS Base license. Please follow the same.
  You can upgrade the base server license.
  Step 1 Select System Administration > Configuration > Licensing > Base Server License.
  The Base Server License page appears with a description of the ACS  deployment configuration and a list of the available deployment  licenses. See Types of Licenses for a list of deployment licenses.
  Step 2 Select a license, then click Upgrade.
  The Base Server License Edit page appears.
  Step 3 Complete the fields as described in Table 18-31:
  Table 18-31     Base Server License Edit Page   
  Option Description
  ACS Instance License Configuration
  Version
  Displays the current version of the ACS software.
  ACS Instance
  Displays the name of the ACS instance, either primary or secondary.
  License Type
  Specifies the license type.
  Use this link to obtain a valid License File
  Directs you to Cisco.com to purchase a valid license file from a Cisco representative.
  License Location
  License File
  Click Browse to navigate to the directory that contains the license file and select it.
  For more information you can go to the below link
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_config.html#wp1053145

• ACS SE base image UPgrade

  HI,
  We have upgraded the ACS SE 1112 as following.
  Cisco Secure ACS : 4.0.1.42  to 4.1.1.23
  Appliance Management Software:4.0.1.42to 4.1.1.23
  Appliance Base Image needs to upgrade from 3.3.1.8 to 4.1.1.4 but we are not able to download the package at download centre as it is not available.
  Kindly suggest for base image upgrade.
  Regards,

  It should work as long as you don't miss anything, and yes you are supposed to install an agent that matches the version you are running. You might want to go ahead and put the latest updates on the ACS before you put it into operation. The process is kind of different than other updates. You might want to read my other ACS posts. I recently killed one of my ACS boxes because I did not install the CSUPdate cumulative patch before installing the lastest patch of the same rev level. (i.e. read directions carefully). Make sure you do an FTP backup before updating the software. If anything goes wrong you could have to reimage the box. There were lots of bug fixes in the updates since 4.1.1.
  Randy

• ACS 5.3 / Self Signed / Certificate base auth

  Hello,
  Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
  We have exported it to have a Trusted Certificate for client machine.
  This certificat has been installed on a laptop.
  The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
  I have this error in the log:
  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
  I think the Access Policies (identity & authorization) are misconfigured:
  > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
  > Identity: System:EAPauthentication match EAP-TLS
  id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
  > authorization: System:WasMachineAuthenticated=True
  Thanks for your help,
  regards,

  Hello,
  I found the answer here:
  https://supportforums.cisco.com/message/1298039#1298039
  ACS self-signed certificate is not compatible with EAP-TLS
  Thanks,

• ACS 5.3 and Windows AD account lockout

  Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
  Just wanted to see if this is the expected behavior or if I should open a TAC case to see what is causing this.
  Thanks.

  Hi;
  Well, we got it working. Not sure of the exact fix, but allow me to ramble, perhaps it will help someone else.
  We think that a combinationof factors caused the problem. First, we had clock drift, and that resulted in clock skew messages in the logs like these:
  Sep 20 18:06:03 ecb-acs1 adclient[8322]: INFO  base.adagent start: Problem connecting to domain controller (KDC refused skey: Clock skew too great), will try again later.
  and
  ecb-acs1 adclient[1163]: WARN  base.bind.cache LDAP fetch CN=bubba,OU=staff,OU=edcenter,OU=edcenterarea,OU=episd,DC=episd,DC=org threw unexpected exception: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Clock skew too great"
  Somehow the ACS lost the ntp config, very disturbing, because I know that one of the first things I did was setup NTP. So I re-did the ntp config, confirmed the time was accurate. Still failed. Then, because I was annoyed by the log entries comning out in UTC, I did a clock timezone to set it to local. That made the logs come out in local time, but might have caused other problems (I saw another forum entry for that) so I set it back to UTC.
  This begs the question - how to leave the timezone at UTC but fix the timestamps for the logs? This is easy on Cisco switches.
  Various reboots of the ACS after deleting the object in AD did not fix the problem. During these reboots I continued to use the original userid and password to authenticate. At all times, the "test connection" button showed that the credentials were OK.
  Because we had recently added our first Win2008 domain controller to our world (all ther other DCs are Win2k3), we started worrying about this:
  http://support.microsoft.com/kb/978055/en-us
  But, after some checking, it seems as if we already had the fix applied.
  Next, we created a dedicated user in AD for the ACS to use when authenticating. Deleted the ACS object, restarted the ACS, applied those new credentials. Still broken.
  Our AD admin looked in various logs and found some things, here is his summary:
  ----------- from Danny --------
  Checked the domain controller log under system.  Found the following:
  While processing an AS request for target service krbtgt, the account ecb-acs1$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 17. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of ecb-acs1$ will generate a proper key.
  and
  While processing an AS request for target service krbtgt, the account stcrye did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of stcrye will generate a proper key.
  This may be related to either clock scew between acs and the domain or introducing server 2008 domain controllers into an existing server 2003 domain. 
  On a desperate hunch, after yet again deleting the ACS object in AD and reloading the ACS, I used the new dedicated ACS user account, but gave it a wrong password. Hit save, watched it fail. Then I put in the correct password, hit save, and it worked! Finall we have re-joined and are connected to the domain.
  BUT ... I have now lost all confidence in ACS 5.3 . We are in the middle of a major rollout of WiFi clients using 802.1x authentitcation, replacing our previous pre-shared WPA setup. We are talking > 20,000 WiFi clients. If ACS <--> AD is not rock-solid, I need to try something else. Should we consider using LDAPS instead?
  Steve

• ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40

  ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
  {AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
  24429 Could not establish connection with Active Directory
  At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)

  I had the same problem, I opened a Cisco TAC case and my issue was resolved.
  Sent: Tuesday, 14 August 2012 9:58 AM
  Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
  Hi Ramraj,
  Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
  From the ACSADAgent.log files I can see log messages like:
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
  This lines up with the error message that we see in the TACACS+ Authentication logs:
  24493 ACS has problems communicating with Active Directory using its machine credentials.
  I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
  The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
  The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
  From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
  To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug.

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• How to uninstall a license in ACS 5.1

  Hi everyone,
  We have two ACS 5.1 appliances. By mistake we install the same license in both devices and when we tried to register the secondary ACS to the primary ACS it says the the license is already in used in the deployment. Furthermore, it is not possible to uninstall the license using the GUI and we can not find any command in CLI. How can we uninstall the license in the secondary box so we can install the correct license? We are trying to omit re-imaging the secondary box beacuse we don't have physical access to it now.
  Best Regards!

  There is no mechanism to update a permanent base license once it is installed
  SInce the license is stored in the database then doing something like a clean install followed by a restore will not help since just get the old license restored
  Note that once you join the secondary to the deployment it will take all its configuration from the secondary. Therefore should do the following on the secondary
  - reset configuration using following CLI "acs reset-config"
  - wait until CLI completes and all processes are up and running agin using "show application status acs"
  - log into GUI on secondary server where you will be prompted to enter admin password and license
  - can now join this secondary server to the deployment
  One other thing to note is that there are some server certificate details that are stored locally to the secondary server and so should ensure they can be restored after the process above is performed

• ACS 4.2 Solution Engine - Most current?

  We have two Cisco ACS 1113 4.2 "Solution Engines" running Windows. They are in test. Is this the most current software base for the 1113? My memory is telling me there was a Linux-based version in the works. Is that true? Is that available?

  Thanks! That pretty much ansers my question. ;-) At http://www.cisco.com/go/acs I read:
  "ACS 5.0 currently supports many but not all access scenarios. ACS 4.2 will continue to be available for customers that require it"
  That puts the fear in me that an upgrade may be a requirement in the future - and will involve a complete appliance swap-out. Hopefully the 1113's with 4.2 have a few years in them?

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• Mac based security managed centrally (Acs or whatever)

  I have a project My customer
  want to use Mac Address based Security on their whole network.They want only specific mac addressed pc/notebooks can be connected to their network.But they dont want configuration per switch basis.They wan centralized management.
  We first looked for ACS.But we realized that ACS supports only Wireless access point for this kind of purpose.I also found that there is a ACS feature called NAR(Network Access Restriction) Can i use this feature?
  They don’t want additional integratio n(Active directory or etc.) and don’t install any software to their pc/notebooks.Because of this i cant use EAP solution.
  They have app 300 pc’s and they will enter whole mac address list to ACS and only this PC’s will be connect to network.Is it possible ?
  Best Regards

  I wouldnt recommend this as a strong security solution, but it could be done - in theory.
  Customers devices need to be configured to initiate a PAP authentication using pre-configured credentials (a'la NAC auth bypass).
  ACS will have this username+password configured plus a network access restriction that lists the allowed set of macaddrs.
  While this may work for 300 users, NARs are not that easily scalable.

• LMS 3.2 ACS integration problem when using NDGs

  I'm trying to integrate the LMS 3.2 with ACS 4.2 and give to some user group rights on playing some LMS Role on some network devices group, but unsucceed. Integration itself was painless, but I can't use th LMS in way it should be used.
  It's OK, when I'm not limiting the devices users could perform their LMS Role with Network Devices Group, all going fine. All configs is done using the
  But when I'm do the 'Assign a Ciscoworks on a per Network Device Group Basis' config part on user group, it's not working at all. And, I'm having the following error messages in the ACS log:
  07/26/2010
  13:31:32
  Author failed
  tst_cc_netadm
  CC_NetworkAdmins
  10.200.11.95
  (Default)
  Unknown
  service=rme authorize-device=10.200.11.95  cmd*DcmaArchiveSummary
  10.200.11.95
  rgm-s-wanlms04
  nms-  cwlms
  WAN-  ACS-1

  Make sure you have assigned the user the NDG which contains the LMS server itself.  That is, they will need at least two NDGs: the device NDG, and the LMS server NDG.  You must also make sure your System Identity User has full access to ALL devices (best not to use NDGs for that user).

• ACS 4.2: Day-wise logging not reflecting

  Hi All,
  I am trying to capture acs accounting logs day-wise, but unable to do it. When we check under report and monitoring it shows single thread, which contain all the accounting logs.
  Need help to modify the config to get the logs on daily basis.
  Regards
  Amar

  The Radius logs are only recording Start and Stops, which I also tried the switch to capture with the aaa accounting commands. Nothing there.
  the authentication is Machine auth, using a certificate in AD. The Radius server(ACS) is configured to use external authentication and I have it setup with group mappings. When I intentially misconfigure that to get the laptop with the valid cert to fail its credentials, I do see the failed attempts. which tells me that the logging is working, but only for failed attempts by valid computers and that's of almost not use to me. I need to see when anonymous users are attempting the same thing. I am using a spare laptop that is not configured on my domain and therefore does not have a machine certificate.
  I have gone back and forth with the switch config and have used guest-vlans, and no guest-vlans. The switchport AuthSM State always stays at "Connecting" and the PortStatus is at "Unauthorized" Which is the defualt it starts in. When I am using guest-vlans the port eventually goes to connected but its in the Guest-vlan. That tells me the switch is going through the EAP messages and determines there is no valid auth. In-fact I even see EAP-Fail in the debug dot1x outputs. So why would that not be logged on the Radius Server. The laptop pops up messages saying it couldn't find a valid certificate and in the network connections the interface status shows failed authentication. So windows is failing authentication.

• Different ACS Group

  I have made two ACS user groups tac 1 and tac 2 assign them full rights on two different Network device group, G1 and G2. Tac 1 only able to access G1 group not other group.
  Now my requirement is that Tac 1 user group also access G2 devices but with limited commands.
  Right now i m achieving this by making a third user group G3 and assigning it Readonly permission on all devices.
  But I want same tac 1 group user get full rights on G1 devices but read only for G2 devices.
  Please tell me how to achieve this.

  You need to use option "Assign a Shell Command Authorization Set on a per Network Device Group Basis" , under shell command authorization.
  Regards,
  ~JG