Cisco ACS 4.2 TACACS+ Administration report - Help!

Similar Messages

• No TACACS+ Administration Reports after upgrade to ACS 4.1

  Hi,
  I was running ACS 4.0 demo version. Everything was running fine.
  After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
  I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
  Here is the config I?m using:
  aaa new-model
  tacacs-server host 192.168.X.X key XXXXXXXXXXX
  aaa authentication login telnet group tacacs+ enable
  aaa authentication login console enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection telnet start-stop group tacacs+
  line con 0
  authorization exec NO-AUTH
  login authentication console
  line vty 0 4
  authorization exec AUTH
  login authentication telnet
  aaa authorization exec AUTH group tacacs+ none
  aaa authorization config-commands
  aaa authorization exec NO-AUTH none
  aaa authorization commands 0 default group tacacs+ none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none

  Hi,
  This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  That should fix the issue,
  Regards,
  Jagdeep
  Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• Does cisco ACS hardware run TACACS+ ?

  hi all
  I am very new to the security,
  my question is , does cisco ACS devices run TACACS+ ?
  or TACACS+ has to be installed in windows/linux ?
  thank you

  The below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
  ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
  ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• ACS Tacacs administration report Log Analyzer

  The logs in ACS are in .csv format. My system is generation huge logs due to more than 1000 devices configured in ACS. Is there any tools available to analyze the Tacacs administration logs ?
  Regards
  Hitesh Vinzoda

  Hi Hitesh,
  The only option you have is to download the .CSV files and import it into spreadsheets by using most popular spreadsheet application software. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.
  To download a CSV report:
  =========================
  # click Reports and Activity.
  # Click the CSV report filename that you want to download.
  # In the right pane of the browser, click Download.
  # You can easily analyse the logs in Microsoft excel
  How to filter and analyze logs ( with Regular Expression Syntax Definitions):
  ========================================
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp632961
  For downloading third party application
  http://www.extraxi.com/
  For more info, you can download the user guide:
  http://www.extraxi.com/PDFs/aaa-reports%20sales%20proposal%20-%20customer.pdf
  HTH
  Regards,
  JK

• TACACS Administration issue in Cisco ACS V4.1

  Hi,
  I am using Cisco Secure ACS V 4.1 for windows. When takingTACACS+  Administration report, report is not getting generated. I have come to know that this is a Bug in this version so as per the support forums they have suggested to update to ACS-4.1.1.23.Link which shows this is given below.
  https://supportforums.cisco.com/message/2015469;jsessionid=E5E34B6AE1216E24188E4712050285DC.node0
  For the same i have searched in cisco but this particular version is not present. enstead ACS 4.1.4.13 is present.
  Please let me know if i update ACS 4.1.4.13 will it resolve this TACACS+ administration report issue. else provide me the remedy to fix this issue.
  Thanks,
  Krishna.

  Krishna,
  That link does not have any full software listed, only patch are listed. This bug is fixed in ACS 4.1.1.23.5 accumulative patch which can be downloaded from that link.
  Incase you want to upgrade ACS, you need to open a TAC case to get the full software.
  Regards,
  ~JG
  Do rate helpful posts

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• Cisco ACS (TACACS+) - AAA failure on WLC

  Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
  Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
  Message Type: Author Failed
  Author-Failure-Code: Service denied
  Author-Data: service=ciscowlc protocol=common
  Anybody have any idea to resolve this problem.
  Thanks,
  Colm

  Hi,
  The document you referred is correct.
  What version of WLC are you running?
  Check this one:
  CSCsk21007    WLC requires tacacs authentication when configuration change ccess Control
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• Unable to generate reports in Cisco ACS 4.2

  Hi All,
  I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
  I have installed Cisco ACS 4.2 on windows 2003 server.
        aaa-server test protocol tacacs+
        aaa-server test (inside) host X.X.X.X
          key **********
        no aaa authentication http console AAA LOCAL
        aaa authentication http console test LOCAL
        no aaa authentication ssh console AAA LOCAL
        aaa authentication ssh console test LOCAL
        aaa authentication telnet console test LOCAL
        aaa authentication enable console test LOCAL
        aaa accounting enable console test
        aaa accounting ssh console test
        aaa accounting telnet console test   
        aaa accounting command test
  Awaiting for soln.
  Thanks in advance.
  Regards,
  Amit.

  I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
  Look in your console log. If you see something like:
  Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
  It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
  -Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
  -increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
  and add something like this:
  kern.sysv.shmmax=167772160
  kern.sysv.shmmin=1
  kern.sysv.shmmni=32
  kern.sysv.shmseg=8
  kern.sysv.shmall=65536
  See also:
  http://forum.servoy.com/viewtopic.php?p=47461

• Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

  I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
  Thanks.

  Hi
  We (extraxi) offer migration and general consultancy for ACS if you need professional help.
  www.extraxi.com/contact.htm

• Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

• Configure Nexus 7k for TACACS in Cisco ACS

  Hi,
  Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
  Directory.
  Please advise if the below config are acceptable:
  feature tacacs+
  tacacs-server key KEY
  tacacs-server timeout 20
  tacacs-server host 1.1.1.1 key KEY
  aaa group server tacacs+ TEST
      server 1.1.1.1
      use-vrf management
      source-interface mgmt0
  tacacs-server directed-request
  aaa authentication login default group TEST
  aaa authentication login console none
  aaa authorization commands default group TEST
  aaa accounting default group TEST
  aaa authentication login error-enable

  Hi,
  What OS version are u using on your servers?
  Craig

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi all
  I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
  Thanks so much
  Longn

  1) I deleted bridge-utils, netcfg
  2) I edited /etc/hostapd/hostapd.conf:
  interface=wlan0
  #bridge=br0
  edited /etc/dnsmasq.conf:
  interface=wlan0
  dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
  and edited /etc/rc.local:
  ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
  ifconfig wlan0 up
  3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
  Profit!