Cisco ACS Appliance and Passed Authentication Logs
I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
Thanks for any suggestions!
What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.
Similar Messages
-
Passed Authentication Logs on ACS 4113 SE appliance
I need to get a copy of all Passed Authentication logs from our appliance. Is there a way that I can ftp all those files to another device? Or is there another way that I can retrieve those files?
Thanks
DwaneDwane,
Yes, you can send logs to another system on the network using remote agent.
Remote Logging for ACS SE with ACS Remote Agents
The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.
For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1
Regards,
~JG
Do rate helpful posts -
ACS appliance and remote agent testing
Having problems with integrating ACS appliance with Active Directory. Have installed the remote agent on a member server and from the ACS appliance can enumerate the Active Directory groups correctly so there is at least some communication happening.
Looking at the remote agent logs whenever a request for the AD groups comes through you see corresponding log entrys. When a user tries to authenticate though there are no logs coming through to the remote agent. So maybe it is not being sent to remote agent?
In the failed authentications log on the ACS the error is unknown user, it does show the correct username + domain as the person trying to authenticate.
The Windows server is setup for unknown user policy.
ACS version is 4.1.1.23, Remote Agent is latest version available.
Any ideas or things to check?Hi,
As per your last line, It seems that ACS and RA ver are not same. Please note that ACS appliance and RA software ver has to be same else it won't work.
Regards,
~JG -
[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid
Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
PatrickTarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you" -
Cisco ACS 1121 version 5.3 - Logging
Hi There
I'm new to Cisco ACS 5.X. From what I have read, the Cisco ACS can act as a Logging Server. Does this mean, all the syslog messages from all the other ACS and network devices can be stored by ACS? I'm a bit confused on this part.
Lastly, I understand that Cisco ACS has many or maybe 2 instances? When do we use these instance? What is this instance?
Regards,
RamIn the distributed deployment, you should specify one acs server as the Logcollector. All other servers send logs to the Logcollecter.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/logging.html
In distributed deployment, each acs server is one instance. So you have one primary instance and multiple secondary instances.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/introd.html#wp1058054
Sent from Cisco Technical Support iPad App -
Hi
I am trying to export my passed/failed authentication log to MS-EXCEL . Since my log in acs is huge MS-EXCEL has a restriction on the number of rows and columns. How do i delete the old logs and have the logs between specified dates.
Or is there any other mechanism so that i can open this log file in .csv format without truncating the content of the log file.
Any help is appreciated
Thanks in advanceThere are utilities about that allow you to split a file into a series of files but only containing N lines.
Alternativly have you looked at AAA Reports from Extraxi, that allows you to do a whole host of reports and handles all the issues of archiving and management of the data. -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
Cisco ACS 4.2.1 authentication problem
We are using cisco ACS 4.2.1 on windows 2003 to authenticate with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.
Hi there,
There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
Let me know if this helps. -
Windows Update for Cisco ACS appliance
Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?
If the patch is necessary on acs appliance then they will be releasing it soon.
As of now we can't apply any windows patch on appliance. -
Cisco ACS appliance max clients?
Hello,
I am trying to find out if cisco ACS 4.2 or 5.2 Appliance has a built in limit on the amount of AAA clients that can authenticate against it.Is it session based or depending on the ammount of clients listed in the setup?
Thank yougot lucky on google. i guess I'll need to learn to navigate this site better.
https://supportforums.cisco.com/message/3159718 -
I'm trying to customize the Appliance, which is running ACS 3.3.2.1, via the web interface. When I click on Interface configuration, only "User Data Configuration" and "Advanced Options" selections are displayed. We are customizing this appliance as a Tacacs Server. The "TACACS+ (Cisco IOS)" selection is missing or hidden. How do I get this selection to appear under Interface Configuration?
You need to have a device configured in the network section to use TACACS+ for auhtentication before this option appears.
-
I setup a Cisco Home Network and Need help Logging into It
Hello, I have four 2521 routers and three 2954 switches. I connected my ISPs modem from the ethernet port and plugged it into port 24 of one of my switches. I also configured the switch for VTY access and gave it a login password. I would like to log into the switch to configure it and telnet into all the other devices from a remote location. But I am unable to ping the public address assigned to me by my ISP. So I can't even telnet to the switch. Help
With help from elsewhere, I have learned how to change the colors and figured out a few other things. I have another question, though.
I want to put a Twitter widget and a comment box on my website. I have the widget code from Twitter, but it is HTML and javascript or something. Can I just put these codes into the modules of the flash template? If you look at the template, you should see that it has modules that have editable HTML text areas, but I don't know if it is limited to text or something, or if it will function correctly if I put other HTML codes in it such as script codes, etc in it.
Also, if that works, does anyone know where I can get a code to put the comment box in one of the modules? I don't mean a contact box, I mean a widget where people can leave comments and the comments display on the page, like on a myspace profile. Just something simple that allows a visitor to leave a name and a text-only comment. I would also like to be able to selectively delete comments in case of spammers, etc.
I found this, which might be what I am looking for, just a simple comment box, but this one is flash:
http://activeden.net/item/commenting-with-no-database/69183?sso?WT.ac=search_item&WT.seg_1 =search_item&WT.z_author=flashBrian
Message was edited by: ESJoeProductions -
Remove a device from Cisco ACS Appliance v 4.2
I am trying to remove a device that was added.
I know I have to do this via RBDMS synchonization since the device name is over 32 characters long.
I cannot seem to find my example or the action codes to delete this device.
If the device name is deviceabcde.all-equipment.mine.com. I know it is not 32 characters, but removal via sync'ing will be the same.
Any help would be appreciated.
dwaneYou can try using the Device and Credentials Repository command line interface (dcrcli). Instructions for its use care located here.
If the issue is with the Fault tool (also known as DFM) then please see this thread about re-initializing the DFM databases. -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu
Maybe you are looking for
-
[SOLVED] Run xscreensaver when I close the laptop lid
I have xscreensaver running in my archlinux, and with a systemd service, I can start it after waking up my laptop. The problem is that I like to keep my laptop running when I close the lid (for example, to go to bed while I'm downloading a file, I li
-
GUI refresh in the EventDispatchThread
Hi! Is it possible to refresh the GUI while the EventDispatchThread runing a long task? I don't want to use other thread (for the task) or the SwingWorker, because i have a lot of different tasks is my program, and it would take a lot of time to rewr
-
Pathfinder's Unite is acting weird
Why is this happening? The text is outlined and there is no stroke. (First image is before clicking 'unite', second image is after.)
-
It only takes a moment from barabara strisand version of the movie, Plus the many others
-
Keyboard and Mouse after Window 8 Login
We are using Windows 8.1 in Dell PC. Since installation it was working fine for last 2 months. Today morning when i boot the computer once boot screen over, keyboard and mouse got freeze and was not able to move the same. 1. Kb and mice is working fi