Cisco ACS 4.2.1(15) AND wind 7 DHCP issues

Similar Messages

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• ACS with patch L 6 and Name column issue

  Has anyone experienced the following?
  My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen.  He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
  Thanks a lot
  Lancellot Wendel

  Hi Tarik,
  thanks for the reply,
  with reg to the question
  "If you remove patch 6 and then migrate, does it work?"
  No it did not work either, well I guess I have to open a TAC case for this.
  thanks in advnace
  regards,
  lancellot

• Cisco ACS config file

  Hi all,
  I have a cisco ACS V.4.0 server and want to get the config file. How can I get the CLI command prompt ? Or, Any where I can get the config file ?
  Thanks
  Leung Che Man

  You can always take ACS backup from the GUI by going to System Configuration >>  Click ACS Backup >> enter the FTP information >> Backup now.
  Performing a Manual ACS Backup
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sba.html#wp222516
  Once you connected to ACS via CLI the default username and password if not changed would be
  user= Administrator
  Pass= setup
  Establishing a Serial Console Connection
  http://cisco.biz/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/installation/guide/appliance/instalap.html#wpxref17544
  Backing Up ACS Data From the Serial Console
  http://cisco.biz/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/installation/guide/appliance/admap.html#wp1057928
  Regds,
  JK
  Do rate helpful posts-

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Integration Of Cisco ACS and MS Active Directory !!!

  Hi all,
  We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
  Thanks for your help
  Regards!!!
  Rafael Turriago

  Hi,
  If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
  The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
  The Remote Agent is the application responsible to exchange data with the DCs.
  You can find detailed information in the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• Cisco ACS 4.2 and Radius authentication?

  Hi,
  I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

  To access network devices for administrative purpose, we have only three methods available :
  [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
  [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
  and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
  [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
  Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
  And the most secure way to administer a  device is to use SSH.
  Rgds, Jatin
  Do rate helpful post~

• Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

• Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

  Hi There
  I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
  Regards,
  Ram
  +6-012-2918870

  Hi,
  That is not possible.
  You cannot push ACLs into the NAC manager.
  If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
  Using Radius attributes you can then map users to Roles.
  Please take a look into this:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.