Cisco ACS Appliance

I'm trying to customize the Appliance, which is running ACS 3.3.2.1, via the web interface. When I click on Interface configuration, only "User Data Configuration" and "Advanced Options" selections are displayed. We are customizing this appliance as a Tacacs Server. The "TACACS+ (Cisco IOS)" selection is missing or hidden. How do I get this selection to appear under Interface Configuration?

You need to have a device configured in the network section to use TACACS+ for auhtentication before this option appears.

Similar Messages

  • Windows Update for Cisco ACS appliance

    Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

    If the patch is necessary on acs appliance then they will be releasing it soon.
    As of now we can't apply any windows patch on appliance.

  • Cisco ACS appliance max clients?

    Hello,
    I am trying to find out if cisco ACS 4.2 or 5.2 Appliance has a built in limit on the amount of AAA clients that can authenticate against it.Is it session based or depending on the ammount of clients listed in the setup?
    Thank you

    got lucky on google. i guess I'll need to learn to navigate this site better.
    https://supportforums.cisco.com/message/3159718

  • Cisco ACS Appliance and Passed Authentication Logs

    I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
    When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
    Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
    Thanks for any suggestions!

    What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

  • Remove a device from Cisco ACS Appliance v 4.2

    I am trying to remove a device that was added.
    I know I have to do this via RBDMS synchonization since the device name is over 32 characters long.
    I cannot seem to find my example or the action codes to delete this device.
    If the device name is deviceabcde.all-equipment.mine.com.  I know it is not 32 characters, but removal via sync'ing will be the same.
    Any help would be appreciated.
    dwane

    You can try using the Device and Credentials Repository command line interface (dcrcli). Instructions for its use care located here.
    If the issue is with the Fault tool (also known as DFM) then please see this thread about re-initializing the DFM databases.

  • No access to serial console in ACS appliance 111

    We have 2 Cisco ACS appliances running version ...
    Cisco Secure ACS 3.2.2.5
    Appliance Management Software 3.2.2.5
    Appliance Base Image 3.2.2.1
    The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
    1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
    2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
    3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
    4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
    Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
    Kind regards.

    Hi
    I had similair problem being locked out of console after initial configuration wizard.
    I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
    I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
    deliverance1> start CSAgent
    Starting service: CSAgent..
    CSAgent is starting
    CSAgent is running
    Regards
    Ian

  • Rendering a Cisco ACS page is broken in Firefox 15

    Since updating to Firefox 15, a page inside my Cisco ACS appliance does not render: Access Policies > Access Services > Default Network Access > Authorization.
    The page has historically taken 15-20 seconds to fully load its contents, and the page now renders as if Firefox 15 got sick of waiting and just displayed what content it had. Is this a problem with rendering the page or perhaps did the value of a timer get changed in Firefox 15?
    The Cisco appliance is not public-facing, so I am happy to do a screen-sharing session with a Mozilla engineer if it would help troubleshoot. Thanks.

    Still broken in 16... Great, now I have to run a version that is 2 versions old.

  • ACS appliance setup help

    Network environment:
    - Windows 2003 with enterprise CA
    - Cisco ACS appliance 4.1.1.23
    - Cisco 1240 AG series APs
    Wireless clients:
    - Windows XP SP2
    Brief steps taken:
    - Installed Enterprise CA
    - Created copy of web server certificate with option “Mark keys as exportable” enabled. Certificate published.
    - Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
    - Generated certificate request from ACS (1024 key length).
    - Submitted server request from ftp server - Submit a certificate request using base 64…
    - Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
    - CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
    Brief cofig of ACS appliance
    Global config
    - PEAP -Selected “Allow EAP-MSCHAPv2”.
    - LEAP - Allow LEAP (For Aironet only)
    - Selected “Allow MS-CHAP Version 1 & 2 authentication
    - Added AAA client (AP) with shared secret with authentication using “Radius (Cisco Aironet)
    - Under External user DB//DB config/windows database, “Enable PEAP machine authentication” selected.
    1240 series AP config
    - Under Server Manager, ACS IP with shared secret entered as a Radius server.
    - Selected EAP authentication.
    - Under SSID Manager selected open Authentication with EAP & selected network EAP.
    - Under Encryption Manager selected WEP Encryption & mandatory.
    - Selected key 1 and entered 128 bit key
    Client (windows XP SP2 domain member) config
    - Connected to Enterprise CA web site, base64 encoding/download CA certificate
    and installed it in local computer store.
    - Under Network authentication selected open with WEP EAP type “protected EAP (PEAP)
    - Authenticate as a computer selected
    - Selected my CA under “Trusted Certification Authorities
    - Authentication method (EAP-MSCHAP V2)
    Errors:
    Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
    Or
    Computer doesn't have correct certificate
    Used 43486, 64067, 71929
    Any suggestions very much apretiated.

    ACS Agent is installed on two DC's as well and they are detected by ACS.
    Thanks

  • ACS appliance -- AD -- RSA Securid Server

    I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
    Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
    But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
    Here's more info:
    In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
    In ACS appliance, remote agent was already pointed to AD.
    No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
    How can I manage to configure RSA SecurID Token Server in my ACS appliance?

    Hello,
    The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
    I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
    ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
    One thing to point out straight away also mentioned in the document mabove:
    Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
    CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
    This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
    username: xxxx
    password: xxxx
    Password Authentication Protocol (PAP) is a better choice here.
    This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

    Hi,
    I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
    ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
    Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
    I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
    tacacs-server key 7 "xxxxxxxxxxxxx"
    aaa group server tacacs+ tac_admin
      server xx.xx.xx.xx
    aaa authentication login default group tac_admin local
    aaa authentication login console group tac_admin local
    aaa accounting default group tac_admin

    Hi,
    Since the ACS is receiving the request.
    Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
    tacacs-server host x.x.x.x key 7 "xxx"
    aaa group server tacacs+  tac_admin
       server x.x.x.x
    aaa authentication login default group  tac_admin local
    aaa authentication login console group  tac_admin local 
    aaa accounting default group x.x.x.x
    On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
    1. Shell  (exec) enable
    2. Privilege level 15
    3. Custom attributes:
               shell:Admin*Admin default-domain
        if you have additional  context add next line
              shell:mycontext*Admin  default-domain
    After  loging to ACE and issuing sh users command you should see following
    User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
    *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

    I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
    Thanks.

    Hi
    We (extraxi) offer migration and general consultancy for ACS if you need professional help.
    www.extraxi.com/contact.htm

  • Cisco ACS Engine appliance 1120 software upgrade

    I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.

    It is highly suspicious that you would have a 1120 appliance that is running 3.3
    ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
    ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
    As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
    Nicolas

  • Cisco ACS 5.3 patch 8 OPT Volume

    Hello,
    We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
    The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
    In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
    This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
    Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
    The questions I have is:
    At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
    Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
    We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
    We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
    Thanks,

    In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.
    In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.
    There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
    1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.
    2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.
    At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?
    TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
    Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
    It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
    - Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.
    - Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.
    - With the below listed command you can check the actual and physical size of the MnT database
         acs-config
         Username: acsadmin
         Password: ***********
         acsview show-dbsize
    There are few known defects on the same issue. However, the version you're running improves database management processes.
    CSCto47203: ACS 5 runs out of disk space
    CSCua51804: View backup fails   even when there is space in disk
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco acs 1120 upgrade to 4.2.1.15 help

    Hi All,
                I have cisco 1120 appliance downgrade from acs 5.0 to acs 4.2.0.124 , I need to upgrade to acs 4.2.1.15 . Does cisco 1120 acs appliance supports 4.2.1.15 , How can i upgrade to 4.2.1.15 from 4.2.0.124 .
                It requires any distribution server for upgrade process . Please suggest on this , Thank you

    Yes, you can upgrade it to 4.2.1.15 and you can download the version from the below listed link;
    http://tools.cisco.com/squish/d4e4A
    Here are the files you need to download:
    ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
    ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
    NOTE: Please apply the management upgrade first and then software upgrade. ..
    Distribution server is a machine from where you can upload the patch onto the Cisco Secure ACS Appliance so If you will download the version on your laptop and upload it from there then that would be distribution server (Nothing special)
    Upgrade an appliance to 4.2.1.15
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1148376
    Hope this helps.
    Rgds,  Jatin
    Do rate helpful posts~

Maybe you are looking for

  • Mac can no longer see network

    Up until a month ago, I was able to see the two PC's (running XP) on out home network from my Mac Pro, and vice versa. I am no longer able to see or be seen by the two PC's, yet I can successfully ping from the Mac to the PC's, and the PC's to the Ma

  • External Monitor not recognized when running XP

    Hi, I have a new Macbook Pro (unibody, 15.4", 2.53 ghz) and I am trying to make it work with my Samsung T260HD HDTV/Monitor. I am hooking this up via a Mini displayport to HDMI adapter, Yeah! I have NO problems when using the computer in OS 10.5.6, b

  • Versamail was working and just stopped

    Hello. I have a Palm Centro.  I set up my Email/Versa Mail and got an error "SSL Error: No trusted root..."  I used the Cert modification tool and added my certificate for the Outlook email.  It worked great for about 2 weeks and then stopped working

  • VISTA FREEZES, even after update to SP1 Refresh (Jan. 11/

    I have been experiencing random complete computer freezes, where the speakers will make a brief noise then lockup with the rest of the computer. I've used all drivers that have been released, and I am currently using the Nov. 5th drivers on my Audigy

  • Debug in Message Mapping

    Hi all,    can I debug a message mapping when click Test function? Thanks in advance,             Michele.