Cisco ACS 1121 version 5.3 - Logging

Similar Messages

• Cisco ACS 1121 server configuration

  Hi,
  Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
  Regards,
  Haja Shajahan.M

  Currently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
  Paps

• Cisco ACS Appliance and Passed Authentication Logs

  I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
  When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
  Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
  Thanks for any suggestions!

  What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

• Migrating a Cisco ACS Database

  Hi,
  Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
  We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
  Regards \\ Naman

  Hi,
  I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
  Cheers,

• ACS 1121 with v5.0 PAK lost

  It has been more than a year since a customer bought a Cisco ACS 1121. It was unpacked then and the PAK is lost, no where to be found.
  Is there any way to retrive the lost PAK ??? Help needed much.

  You need to send an email to [email protected] with the following information:
  Cisco Sales Order Number
  SAS contract
  You can obtain your software license at this site: http://www.cisco.com/go/license. Once you arrive at this site, you will need to enter in your Cisco.com user ID and your password to access this site. You will also need to enter in your Product Authorization Key (PAK).
  Regards,
  Jatin
  Do rate helpful posts-

• Red Hat OS version in the ACS 1121

                  Does anyone happen to know the Red Hat OS version in the ACS 1121 appliance?

  I don't have an ACS1121 handy but I believe the ADE-OS appliances have a common base.
  Here the output from one running Cisco Prime LMS 4.2.1 (the latest version of that product):
  [*****/root-ade ~]# cat /proc/version
  Linux version 2.6.18-238.1.1.el5 ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Tue Jan 4 13:32:19 EST 2011

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco ACS register to primary with different acs versions

  Hello, I've updated a backup unit of two acs to  version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
    And I get this error
  This System Failure occurred:  com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
  What can I do to solve it?
  Kind regards

  The primary and secondary should be running on the same code.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ACS version 4.2 patch update

  Dear All,
  I am using cisco ACS version 4.2 (0) Build 124 and i would like to upgrade it with latest patch .Can anyone provide me the step by step procedure for the upgrade through serial console or through GUI.
  It would be also appreciate if if you could provide me the exact link / patch for 4.2(0) release.
  Regards..

  Ciscoworks can use various mechanisms to discover the devices on your network.
  The network administrator can discover the devices using different protocols, such as Cisco Discovery Protocol, BGP, OSPF, Address Resolution Protocol (ARP), HSRP, cluster, routing table, and ping sweep on IP range, that are activated at different layers of the Open Systems Interconnection (OSI) model in the device.
  It has a benefit when the devices on the network will not be better responsive to any other modules of Discovery.
  Usually other module learn IP of the neigbour device with their data, like asking CDP neighbour details or OSPF Table. Whereas in Ping Sweep LMS will simply continue to check devices based on the IP Range.
  Example, if you selected Ping Sweep On IP Range, you can specify the seed device as 10.77.209.209 and the subnet mask as 255.255.255.240. Entering a smaller subnet mask value may result in a longer discovery cycle, as discovery has to sweep IP addresses from more networks. It is recommended to enter a Class C mask instead of a Class A or B mask.
  So using Ping Sweep helps you find your devices faster of it is failry simple network with simple range of IP's on devices, may be on a single subnet.
  More details on How Ping Sweep Algorithm Works technically behind, in LMS, is available here:
  https://supportforums.cisco.com/docs/DOC-9005#Ping_Sweep_On_IP_Range
  This document describes, in depth about all modules used in LMS Device Discovery.
  Hope it will be helpful to understand.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• Cisco ACS Server . Download Evaluation Version For Testing.

  Hello.
  I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?

  Hello Michael-
  The ACS version for Windows is no longer available. The product is EOL/EOS:
  http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
  The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage. 
  If you want to evaluate the product I would recommend that you contact your local Cisco partner:
  https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
  Thank you for rating helpful posts!

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Cisco ACS 5.4 patch 6

  Hi Everyone,
  I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
  Connectivity between them is ok, same subnets.  I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory.  Both of these ACSes are used to authenticate my network devices.
  Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
  However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending". 
  I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
  Anyone knows why?  Is this a "bug"?
  Thanks in advance.

  Hi,
  If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall.

• Cisco ACS 4.2(1) Certificate problem

  Hi guys,
  I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
  I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
  When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
  Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
  What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
  best regards,
  NC

  Anyone?
  I think this maybe some Bug but i am not so sure about that.
  regards,
  NC

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.