Cisco ACS 4.2 TACACS+ Administration report - Help!
we had some switches mysteriously reloaded. Upon investigation, TACACS+ Administration report show no user login to the device, no command was issued, and the reason = reload.
how could this happen?
Guna,
Tacacs+ Does not use VSAs.
Radius uses VSAs.
This is what I found online:
http://198.152.212.23/css/P8/documents/100106731
See if this helps.
It has an example associated for server configuration.
In ACS 4, you need to use the shell exec and priv-lvl=<value>.
(Similar to Cisco IOS)
Regards
Ed
Similar Messages
-
No TACACS+ Administration Reports after upgrade to ACS 4.1
Hi,
I was running ACS 4.0 demo version. Everything was running fine.
After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
Here is the config I?m using:
aaa new-model
tacacs-server host 192.168.X.X key XXXXXXXXXXX
aaa authentication login telnet group tacacs+ enable
aaa authentication login console enable
aaa authentication enable default group tacacs+ enable
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection telnet start-stop group tacacs+
line con 0
authorization exec NO-AUTH
login authentication console
line vty 0 4
authorization exec AUTH
login authentication telnet
aaa authorization exec AUTH group tacacs+ none
aaa authorization config-commands
aaa authorization exec NO-AUTH none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ noneHi,
This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is availble on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is availble on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
That should fix the issue,
Regards,
Jagdeep
Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it. -
Cisco ACS 5.1 Tacacs with Juniper Srx 210
Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards -
Does cisco ACS hardware run TACACS+ ?
hi all
I am very new to the security,
my question is , does cisco ACS devices run TACACS+ ?
or TACACS+ has to be installed in windows/linux ?
thank youThe below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
Regards,
Jatin Katyal
*Do rate helpful posts* -
ACS Tacacs administration report Log Analyzer
The logs in ACS are in .csv format. My system is generation huge logs due to more than 1000 devices configured in ACS. Is there any tools available to analyze the Tacacs administration logs ?
Regards
Hitesh VinzodaHi Hitesh,
The only option you have is to download the .CSV files and import it into spreadsheets by using most popular spreadsheet application software. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.
To download a CSV report:
=========================
# click Reports and Activity.
# Click the CSV report filename that you want to download.
# In the right pane of the browser, click Download.
# You can easily analyse the logs in Microsoft excel
How to filter and analyze logs ( with Regular Expression Syntax Definitions):
========================================
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp632961
For downloading third party application
http://www.extraxi.com/
For more info, you can download the user guide:
http://www.extraxi.com/PDFs/aaa-reports%20sales%20proposal%20-%20customer.pdf
HTH
Regards,
JK -
TACACS Administration issue in Cisco ACS V4.1
Hi,
I am using Cisco Secure ACS V 4.1 for windows. When takingTACACS+ Administration report, report is not getting generated. I have come to know that this is a Bug in this version so as per the support forums they have suggested to update to ACS-4.1.1.23.Link which shows this is given below.
https://supportforums.cisco.com/message/2015469;jsessionid=E5E34B6AE1216E24188E4712050285DC.node0
For the same i have searched in cisco but this particular version is not present. enstead ACS 4.1.4.13 is present.
Please let me know if i update ACS 4.1.4.13 will it resolve this TACACS+ administration report issue. else provide me the remedy to fix this issue.
Thanks,
Krishna.Krishna,
That link does not have any full software listed, only patch are listed. This bug is fixed in ACS 4.1.1.23.5 accumulative patch which can be downloaded from that link.
Incase you want to upgrade ACS, you need to open a TAC case to get the full software.
Regards,
~JG
Do rate helpful posts -
No TACACS+ Administration Logging on ACS
I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
aaa accounting command <server group> or <privilege>.
How do I get this ASA and Windows ACS to collect TACACS+ administration?
Note: My TACACS+ accounting does collect data on users ssh into the ASA.It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
Here's an example of the commands:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Hope it helps. -
Juniper SSG and Cisco ACS v5.x Configuration
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Create the Juniper Shell Profile.
Click the [Create] button at the bottom of the page
Select the General tab
Name: Juniper
Description: Custom Attributes for Juniper SSG320M
Select the Custom Attributes tab
Add the vsys attribute:
Attribute: vsys
Requirement: Manadatory
Value: root
Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege
Requirement: Manadatory
Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly
Click the [Add^] button above the Attribute field
Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
Create the Juniper Authorization Policy and filter by Device IP Address.
Click the [Customize] button at the bottom Right of the page
Under Customize Conditions, select Device IP Address from the left window
Click the [>] button to add it
Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule
Under General, name the new rule Juniper, and ensure it is Enabled
Under Conditions, check the box next to Device IP Address
Enter the ip address of the Juniper (192.168.1.100)
Under Results, click the [Select] button next to the Shell Profile field
Select 'Juniper' and click the [OK] button
Under Results, click the [Select] button below the Command Sets (if used) field
Select 'Permit All' and ensure all other boxes are UNCHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the Juniper policy, then move the policy to the top of the list
Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server. -
Cisco ACS (TACACS+) - AAA failure on WLC
Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
Message Type: Author Failed
Author-Failure-Code: Service denied
Author-Data: service=ciscowlc protocol=common
Anybody have any idea to resolve this problem.
Thanks,
ColmHi,
The document you referred is correct.
What version of WLC are you running?
Check this one:
CSCsk21007 WLC requires tacacs authentication when configuration change ccess Control
HTH
Regards,
JK
Plz rate helpful posts- -
Unable to generate reports in Cisco ACS 4.2
Hi All,
I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
I have installed Cisco ACS 4.2 on windows 2003 server.
aaa-server test protocol tacacs+
aaa-server test (inside) host X.X.X.X
key **********
no aaa authentication http console AAA LOCAL
aaa authentication http console test LOCAL
no aaa authentication ssh console AAA LOCAL
aaa authentication ssh console test LOCAL
aaa authentication telnet console test LOCAL
aaa authentication enable console test LOCAL
aaa accounting enable console test
aaa accounting ssh console test
aaa accounting telnet console test
aaa accounting command test
Awaiting for soln.
Thanks in advance.
Regards,
Amit.I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
Look in your console log. If you see something like:
Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
-Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
-increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
and add something like this:
kern.sysv.shmmax=167772160
kern.sysv.shmmin=1
kern.sysv.shmmni=32
kern.sysv.shmseg=8
kern.sysv.shmall=65536
See also:
http://forum.servoy.com/viewtopic.php?p=47461 -
Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance
I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
Thanks.Hi
We (extraxi) offer migration and general consultancy for ACS if you need professional help.
www.extraxi.com/contact.htm -
Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure
I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
Can anyone provide any help on this?I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
Can anyone provide any help on this? -
Configure Nexus 7k for TACACS in Cisco ACS
Hi,
Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
Directory.
Please advise if the below config are acceptable:
feature tacacs+
tacacs-server key KEY
tacacs-server timeout 20
tacacs-server host 1.1.1.1 key KEY
aaa group server tacacs+ TEST
server 1.1.1.1
use-vrf management
source-interface mgmt0
tacacs-server directed-request
aaa authentication login default group TEST
aaa authentication login console none
aaa authorization commands default group TEST
aaa accounting default group TEST
aaa authentication login error-enableHi,
What OS version are u using on your servers?
Craig -
Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???
Hi All,
I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
Thanks!I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
1. Create a End Station Filter, here configure the user's IP
2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
3. Define your rule with the required result -
Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi all
I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
Thanks so much
Longn1) I deleted bridge-utils, netcfg
2) I edited /etc/hostapd/hostapd.conf:
interface=wlan0
#bridge=br0
edited /etc/dnsmasq.conf:
interface=wlan0
dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
and edited /etc/rc.local:
ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
ifconfig wlan0 up
3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
Profit!
Maybe you are looking for
-
Automatic Filing With Rules - Long
This is a long post, sorry, but I think the details might be worthwhile for someone who might be like me and wants to automate their mail processing as much as possible. I do have a question below about how I might better configure some rules, and ab
-
Creating hyperlinks to pdf docs on a CD. Anyone experienced in doing this?
Need to create hyperlinks to pdf documents in a CD. The pdf docs were created using an older version of Adobe and I am trying to follow a YOuTube instructing me how to create hyperlinks in the Table of Contents on the CD. The instructions on the YoTu
-
Lion OS and COmpatibility with Non_English keywords
Hello There, I ran into strange problem which I have not experienced before. I mean when I go through such websites like: مهاجرت کانادا and کانادا مهاجرت and مهاجرت به کانادا . I see some messy content which I do not see when I am working with Leopar
-
Change drive share IP address on 160nl
I have two routers linksys 310n and a 160nl. The 310 is the master router on the second floor hooked to the cable modem. The 160nl is down stairs and its the main wirless access point. I have a 8 gig thumb drive (sandisk) in the 160nl in the USB p
-
Installing Oracle 10g R2 (10.2) on Windows Error with DBCA
Hello, 10g R2 for Windows was released yesterday. I am trying to install it on a Windows 2000 computer. I choose an advanced install, general purpose database. The software installs fine, and then it gets to the wizards at the end. The first wizard i