Cisco ACS-Log collector

Hi all,
I was doing some testing on the ACS 5.4 version in distributed deployment.
Now the issue that, when my primary log collector is down, there is no logs for the accounting.
Now is there any way to keep those logs when the primary log collector is down any suggestions to have work around for the same.
Please suggest any method for the recovery.
thanks
Nitesh

Hi NItesh,
i'm suggesting to deploy another log server.
and config remote log target to that server.
in another way,
you can config monitoring log recovery in Monitoring Configuration > System Operations > Log Message Recovery.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#pgfId-1083029

Similar Messages

Cisco ACS - Logging Source IP (Public IP)

What option needs to be selected to log/send to syslog the Source IP (public IP address) of a client that is connecting/attempting to connect to VPN? Currently the only option that seemed to be close to Source IP was Source-NAS but I don't believe that is it. Thanks in advance!

Hi,
Can you please provide the command to change the ip address of ACS 5.2?
Need it on priority. please help.
Uday

ACS 5.4 with ACS 5.6 as a Log Collector

Hello,
I have a ACS 5.4.0.46-6 running.
Now I want to setup a ACS log collector on my ESX 5.5.
Since ACS 5.4 is not supported on ESX 5.5 I want to install ACS 5.6.
Question :
I this setup possible?
Can I use the ACS 5.6 as a log-collector for the ACS 5.4?
Regards,
Herald

Hi,
Herald .
Your tests spare me lot of time since I was going to try the same configuration.
I am afraid that such a configuration will not work as long as the log collector server has to be part of the same distributed deployment other aaa servers are.Actually I think that servers members of the same distributed deployment needs to run same sw version
Regards
MM

ACS 5.4 Log Collector

I am not receiving any tacacs accounting, authentication or authorization entries in my log collector. I have my secondary server as the collector and it is receiving radius entries but not tacacs. If I move the collector to the primary server, all works perfect. Why does the secondary not receive the logs? The primary is the device that is doing the auth for all devices and it should be sending the logs to the collector.

Hello,
Sometimes this can be a DB corruption.
Change the log collector back to the seconday if you have the same behavior reset the configuration on the secondary ACS and have it register again to the primary. This will make a clean DB on the secondary.
Make sure you have the secondary ACS license handy.
If you need specific help let me know and I will be glad to assist.
Also make sure that the secondary ACS has all the services running and that has the 500 GB of HDD.
Regards,
Erdelgad

Cisco ACS 1121 version 5.3 - Logging

Hi There
I'm new to Cisco ACS 5.X. From what I have read, the Cisco ACS can act as a Logging Server. Does this mean, all the syslog messages from all the other ACS and network devices can be stored by ACS? I'm a bit confused on this part.
Lastly, I understand that Cisco ACS has many or maybe 2 instances? When do we use these instance? What is this instance?
Regards,
Ram

In the distributed deployment, you should specify one acs server as the Logcollector. All other servers send logs to the Logcollecter.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/logging.html
In distributed deployment, each acs server is one instance. So you have one primary instance and multiple secondary instances.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/introd.html#wp1058054
Sent from Cisco Technical Support iPad App

Cisco ACS 5.3 patch 8 OPT Volume

Hello,
We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
The questions I have is:
At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
Thanks,

In distributed setup, its recommended to configure a dedicated secondary server as a log collector. However you've a large deployment so I'm sure authentication rate would be high too causing view-database size keep on increasing.
In order to prevent running out of disk space we need to manage it. That means identifying the files that are created and written to by processes on the system, allocating a space budget to them such that if the files stay within their budget all services can be supported without interruption, and then defining and implementing facilities to keep those files within their budget.
There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
1. Purge: In this mechanism the data will be purged based on the configured data retention period or upon reaching the upper limit of the database. In Patch 6 new option provided to do on demand purge as well.
2. Compress: This mechanism frees up unused space in the database without deleting any records. Before the compress option could only be run manually. In ACS 5.3 Patch 6 there are enhancements so it will run daily at a predefined time, automatically when specific criteria are met.
At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
- Please use System Administration > Configuration > Log Configuration > Logging Categories > Global To configure sending only the required logs to the ACS View log-collector.
- Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.
- With the below listed command you can check the actual and physical size of the MnT database
     acs-config
     Username: acsadmin
     Password: ***********
     acsview show-dbsize
There are few known defects on the same issue. However, the version you're running improves database management processes.
CSCto47203: ACS 5 runs out of disk space
CSCua51804: View backup fails   even when there is space in disk
Jatin Katyal
- Do rate helpful posts -

VPN client and Cisco ACS

hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?

here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs.

RSA SecurID and Cisco ACS integration for user(s) with enable mode

I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

How to hide line console parameters through Cisco ACS

Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
Thanks

This thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

Cisco ACS 4.2 - Server Busy

Hi!
We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
What I don't understand is why the ACS acts that way...
TAC says that all 42 or so threads are in use when the server says it's too busy.
While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
This is an extract from the CSRadius-Log-File:
RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
Thanks alot!

The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
The information needed is the following
all of these items really need to be gathered at the same time
switch debugs including
debug radius
debug aaa authen
debug aaa accounting
sniffer capture between the switch and the ACS
logs from ACS with debugs enabled.
If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_admin

Hi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
   server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
           shell:Admin*Admin default-domain
    if you have additional context add next line
          shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)
*adm-x        Admin                                                                    pts/0   Sep 21 12:24 (x.x.x.x)    Admin   default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

Cisco ISE log configuration commands enetered on routers

Hello,
I am trying to migrate from Cisco ACS to ISE.
I want to log configuration commands entered on routers.
I have configured the routers to send accounting radius to ISE but ISE sees the messages as:
"22003 Missing attribute for authentication
11014 RADIUS packet contains invalid attribute(s)"
Can I configure ISE to receive radius accounting messages ?
Is there another way to configure ISE to log configuration commands ?
Another way would be to send syslog messages using the archive configuration on routers, but I cannot find the syslog mesages on ISE.
Regards,
Bogdan

You should post your question on the AAA forum
https://supportforums.cisco.com/community/netpro/security/aaa
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
Piotr

If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Cisco ACS 5.4 patch 6

Hi Everyone,
I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
Connectivity between them is ok, same subnets. I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory. Both of these ACSes are used to authenticate my network devices.
Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending".
I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
Anyone knows why? Is this a "bug"?
Thanks in advance.

Hi,
If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall.

Cisco ACS 4.2(1) Certificate problem

Hi guys,
I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
best regards,
NC

Anyone?
I think this maybe some Bug but i am not so sure about that.
regards,
NC

Cisco ACS-Log collector

Similar Messages

Maybe you are looking for