Cisco ACS config file

Similar Messages

• Cisco acs "manifest file not found" help

  srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
  Do you want to save the current configuration ? (yes/no) [yes] ? no
  6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
  7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
  7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
  % Manifest file not found in the bundle
  srvacs01/admin#
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: srvacs01
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40.40
  Internal Build ID : B.839
  Patches :
  5-3-0-40-7
  5-3-0-40-9
  Pointed-PreUpgrade-CSCum04132-5-3-0-40

  Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
  The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
  Solution
  Complete these steps in order to upgrade the ACS appliance without any issue:
  Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
  After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
  Use this command in order to install the upgrade:
  application upgrade <application-bundle> remote-repository-name
  This completes the upgrade procedure.
  Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
  please refer the upgrading acs server 5.4 to 5.5, for complete process.

• Missing Cisco 7960G config files

  Hi
  By mistake I'v deleted my configuration files for my phones, and I'm a total newbee in this area.
  Can anybodt please post the files or a link to the files?
  If possible with all config options writen in the files.
  //Piet Pedersen

  You can download 7960g software load, from the following URL:
  http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml

• Is it possible to create a cisco config file based on a polycom config file?

  Hello,
  We have 12 spa509g phones that are barely working with our provider (voxox).
  My provider gave me the config files that are used to set up polycom phones as those are the only phones they support.
  Features that currently work: incoming calls, outgoing calls, blind transfer, voicemail, call hold
  Features that do not work: call presence - solid orange lights, attended transfer, paging 
  I've upgraded the firmware to 7.5.6 and configured the phone through the GUI as much as i can but I can't seem to enable the above features.
  Any help would be highly appreciated as I'm about to buy polycom phones if we can't figure the configuration out.
  Attached are the configuration files from voxox concerning polycom phones. confidential data says "removed"
  If anyone thinks that this is possible, I can send a copy of my current cisco configuration file. 
  Thanks,
  Philip

  Well, I have no polycom phone, not I have personal experience with voxox. I wish the following document may help a lot - it describe Polycom configuration somewhat. As you have no Polycom, you have no current <mac>-directory.xml. So you don't know the device name you should subscribe to. But it seems to be a DID-number.
  Just try it.
  On the other side, ask Voxox for help. Don't ask for configuration files, ask for configuration instructions expressed in terms of the SIP protocols. Consider switch to more friendly and technically skilled VoIP operator if they will not understand what the SIP stand for ...
  By the way, wrong forum. Your issue has nothing to do with XML Phone Application interface. I'm not sure someone will respond you here.

• Radius Dictionary file conversion from free radius/steelbelt to cisco acs

  Does anyone have a tool or have experience converting a free radius dictionary file to cisco acs radius format.

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• Locking GUI of Cisco IP terminals leaving terminal unlock | via config file

  Hi Guys, 
  On the Cisco SPA VoIP handset range, there is an option for a 'System  Configuration User Password'.
  This feature allows additional security  within the GUI and also locks down some of the menus on the phones.
  These phone menus can be overridden, leaving the GUI password in  place.  However, this is a manual process on the phone itself.
  Is there any way  of removing the user password on the handset, but  keeping it live on the  GUI and to do this all via the config file.
  Regards
  Shivam

  What version is the older AP's on and what version is the new ones running?  There were some changes with the config formatting between certain versions.  Make sure all the AP's are running the same version and try loading the config again.

• Cisco 7920 and Aironet 1100 (Downloading config file)

  For some reason the 7920 is trying to Downlaod the config file and can't pass that screen.
  It authenticates just fine and the i get the screen "downloading config file" and that's it.
  It's been doing the same thig all morning.
  Not sure what's going on.
  please help.
  Call Manager 4.1.3 Aironet 1100
  Thanks
  Zeek

  ok, so i guess after a while, the phone said "upgrading firmware" and after resseting, i got to the screen with the line up.
  I still have a problem though.
  i can dial a phone, it will call but once someone answer on the other side, the 7920 resets itself.
  PLease help.

• Cisco spa502g incorrect config file provisioned

  Hi Guys,
  Apologies if this is not in the right location for this question. But i have several phones which have not been rmeoved from the portal correctly or have been used as test phones on site. Now i have been able to get them removed from portal so that i can use them again however the issue i face is i cant reset the physical phones, they currently have a config file which if you log into the phone is asking for username and password so i cant check the URL for the provisioning file. I have no idea what this username and password would be and i have also tried doing it through the phone to no avail. I have read about how it may be possible to force a config file on using a tftp server, so have downloaded Solar winds but will be honest i have no idea how to do it. Nor have i got a config file to put on the phone.
  I am in a business enviroment so have got a POE switch and plugged laptop directly in and a SPA502G plugged in next to it. I have left the device all weekend to see if it would pick up a new config file after it cant find one as this was advised to me by BT wholesale. This has not worked either.
  Could somebody please asssit me with either explaining how i can get a config file on using solar winds tftp or if somebody knows another process on how i can reset these phones to ensure they have got the right provision file.
  Look forward to your response.
  Thank you 

  Wrong forum, post in "small business - SPA phones": You can move your posting with the Actions panel on the right.

• Cisco ACS 5.3 patch 8 OPT Volume

  Hello,
  We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
  The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
  In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
  This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
  Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
  The questions I have is:
  At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
  Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
  We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
  We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
  Thanks,

  In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.
  In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.
  There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
  1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.
  2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.
  At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?
  TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
  Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
  It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
  - Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.
  - Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.
  - With the below listed command you can check the actual and physical size of the MnT database
       acs-config
       Username: acsadmin
       Password: ***********
       acsview show-dbsize
  There are few known defects on the same issue. However, the version you're running improves database management processes.
  CSCto47203: ACS 5 runs out of disk space
  CSCua51804: View backup fails   even when there is space in disk
  Jatin Katyal
  - Do rate helpful posts -

• Unable to generate reports in Cisco ACS 4.2

  Hi All,
  I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
  I have installed Cisco ACS 4.2 on windows 2003 server.
        aaa-server test protocol tacacs+
        aaa-server test (inside) host X.X.X.X
          key **********
        no aaa authentication http console AAA LOCAL
        aaa authentication http console test LOCAL
        no aaa authentication ssh console AAA LOCAL
        aaa authentication ssh console test LOCAL
        aaa authentication telnet console test LOCAL
        aaa authentication enable console test LOCAL
        aaa accounting enable console test
        aaa accounting ssh console test
        aaa accounting telnet console test   
        aaa accounting command test
  Awaiting for soln.
  Thanks in advance.
  Regards,
  Amit.

  I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
  Look in your console log. If you see something like:
  Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
  It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
  -Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
  -increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
  and add something like this:
  kern.sysv.shmmax=167772160
  kern.sysv.shmmin=1
  kern.sysv.shmmni=32
  kern.sysv.shmseg=8
  kern.sysv.shmall=65536
  See also:
  http://forum.servoy.com/viewtopic.php?p=47461

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• What's wrong? Verify and compare Cisco 2901 config after loading old config from Cisco 2801

  Hi Cisco Community / Friends,
  I am new to this site though I have cisco account for many years. I am a CCNA ,I  passed my certification on January 2013 I seldom use and utilized my skills on networking becuase of my type of work. I am Project Eng'r working in a System integrator company . Anyway, I would like to ask assistance on the configurations of my Cisco router for this gov't projects.. Here's the situation.
  We have a new project for the VSAT Comm'n of  Coast Watch Station ,  The VSAT was installed 7 years ago. The VSAT was only used for a year by this Gov't agency because of  subscription issue. Now, they wants to revive and use their VSAT facilities for the Coast watch monitoring. Now, some of this routers are working up to now and for some site  are already defective so I need to replace the old 2801 router with a new equivalent model which is Cisco 2901. My plan was just to load the old config into the new Cisco 2901 router. However, after loading it to the new router, I am a little worried because I've got some errors received. I load the old config by copying the old files, edit it in notepad, and load the config using Secure CRT (terminal emulator). When I copy the old config of cisco 2801 to new router cisco 2901 , below are the command not recognized on Cisco 2901. What's wrong ? What are these commands for? 
  Appreciate your comments and help on this matter.. Thank You very much
  Note: I Attached the original config from Cisco 2801 and the other file is the config after I load the config file to Cisco 2901.
  (Errors see below)
  CWS_4_Pandami(config-erm)#mmi polling-interval 60
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi auto-configure
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi pvc
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#mmi snmp-timeout 180
                                                          ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-if)#interface GigabitEthernet0/1
  CWS_4_Pandami(config-if)# description ===CWS4 SAT Modem===
  CWS_4_Pandami(config-if)# bandwidth 256
  CWS_4_Pandami(config-if)# ip address 192.168.42.1 255.255.255.0
  CWS_4_Pandami(config-if)# duplex auto
  CWS_4_Pandami(config-if)# speed auto
  CWS_4_Pandami(config-if)# priority-group 1
                                                      ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config)#access-list 100 permit ip any any dscp cs5
  CWS_4_Pandami(config)#priority-list 1 protocol ip high list 100
                                                  ^
  % Invalid input detected at '^' marker.

  Hi
  From Cisco's website:
  The Modem Management Interface (MMI) is software that enables auto-provisioning for the Cisco 827 routers. The MMI uses a fixed PVC to communicate with the Proxy Element (PE) residing on the digital subscriber line access multiplexer (DSLAM). Using MMI, the Cisco 827 router updates the running image and downloads the prescribed configuration using a configuration file or configuration values in a provisioning information database.
  The customer premise equipment (CPE) can be automatically configured using the Cisco DSL CPE download, but it can be configured only with the image provisioning feature.
  So because this is your device, you don't want to use MMI anyways.
  And "priority-list" is QoS. Probably that QoS-command is old and removed, because now QoS is configured using class-maps and policy-maps.

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.