Cisco ACS Server

Similar Messages

• Cisco ACS Server . Download Evaluation Version For Testing.

  Hello.
  I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?

  Hello Michael-
  The ACS version for Windows is no longer available. The product is EOL/EOS:
  http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
  The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage. 
  If you want to evaluate the product I would recommend that you contact your local Cisco partner:
  https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
  Thank you for rating helpful posts!

• Limitations of Cisco ACS server

  I want to ask about limitations of Cisco ACS server 3.3 .
  I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
  Can i also solve this problem with a High Availability configuration.

  Hi
  ACS performance is a very complex issue and depends largely on
  1) auth protocol (anything eap is SLOW)
  2) backend (anything external is SLOW)
  3) server CPU
  We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
  AD authentication/group mapping can take several seconds to complete.
  ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
  EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
  Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
  The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
  IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
  Darran

• Cisco ACS server 5.1 console login

  I have ACS server 5.1 virtual appliance.  It is functioning properly in terms of performing its radius and tacacs responsibilities.  However, I cannot login via the local console or via ssh no matter which username and password I try.  I have tried every local username on the ACS server as well as creating new ones with new passwords as superadmin but no success.  It always returns back a "Login incorrect" message.  I can use all of these same accounts to login to the web interface without failure.  Does anyone have any ideas on what the problem is?  What am I missing?
  J

  To log in to CLI, use the administrator user account (and the corresponding password) that you created during the setup process.
  Accessing ACS CLI
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003
  Please be aware that the credentials used to login to the ACS CLI are entirely different than those used to authenticate at the ACS GUI screen  and have absolutely nothing to do with credentials specified elsewhere in the network (such as on an Active Directory server). 
  In case you do not remember your CLI credentials (please note that these credentials are case sensitive), you can insert the ACS 5.x disc and follow the instructions for resetting the default administrator password.  This will set the username to administrator and password to default.  After, you should be able to create a new username and password through the ACS CLI.
  For further reading on using the ACS command line interface, please refer to the link below:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wpxref48407
  Regards,
  Jatin
  Do rate helpful posts-

• Is CISCO ACS server same as RADIUS server?

  Please advise.
  if not, wats the difference between them?

  The ACS server suite includes a RADIUS service (and TACACS+).
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html
  Good Luck
  Scott

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Linksys WAP54G connecting to CISCO ACS via LEAP

  I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
  Connection scenario:-
  Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
  Pls advise if such setting is feasible.
  Tks

  This is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
  As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
  If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
  One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
  Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
  Bruce Alexander, Cisco

• CS-MARS user authentication using Cisco ACS

  Hi,
  I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
  Thanks and Regards,
  Ahmed Shahzad.

  Hi,
  I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
  Thanks and Regards,
  Ahmed Shahzad.

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Cisco ACS / Trend Micro Office / Cisco Trust Agent

  We currently utilize Cisco ACS Server and Trend Micro OfficeScan and would like to deploy Cisco Trust Agent 2.0 on a few laptops.  Has anyone been involved with such a deployment?  If so, any suggestions, documentation, suggestions?
  Thanks,

  CTR uses the admin shares to connect to a windows server.
  Depending on how you configured it: It will try a nmap fingerprint scan, use static OS mappings or perform a level 2 scan by using the admin shares.
  If you are using it through firewalls, the fingerprinting does not work properly.
  You will also notice that since version 2.0.3 there hasn't been any new agents developed for it. Also 2.0.5 started to upgrade all port scans etc whereas before it didn't.
  I would look to speaking to your cisco account team about the next version of Cisco IPS instead.

• Cisco ACS 4.1 Windows License Key Question

  How do I obtain the license key for my Cisco ACS Server for Windows software v4.1?

  For acs windows, there is no license key. You need to purchase the acs software.
  During installation, it does not ask for any key.
  Regards,
  ~JG
  Do rate helpful posts

• ACS server with NAC feature

  Hi,
  I have ACS 3.3 version and i have seen the it has network admission control feature in it. I have cisco switches 3750G and windows servers 2003. Currently i am running machine/user authentication over EAP-PEAP and it seems running ok in my network. I have now a new requirement. we want to authorize the machine only when the machine has latest antivirus running on it. we have symantic antivirus on our machines.
  I am new to network admission control and don't know much.
  Can i do it with cisco ACS server? is we have to buy any equipment/software to accomplish this?  your help in this matter will be highly appriciated.
  Regards

  This is called NAC framework, and as far as I know this might be possible but you might find some limitations, see the following link for guides:
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
  On the other hand the current NAC solution "Cisco Clean Access" Will allow you to play with it as desired, see:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html
  hth
  Ivan

• Cisco ACS (TACACS+) - AAA failure on WLC

  Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
  Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
  Message Type: Author Failed
  Author-Failure-Code: Service denied
  Author-Data: service=ciscowlc protocol=common
  Anybody have any idea to resolve this problem.
  Thanks,
  Colm

  Hi,
  The document you referred is correct.
  What version of WLC are you running?
  Check this one:
  CSCsk21007    WLC requires tacacs authentication when configuration change ccess Control
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• ACS Server Rights

  hi,
  i am setting up a Cisco ACS server with different privilage levels. I want to limit the set of commands under configuration mode for each different privilage level. As of now if i give conf t access, user can access all the config levekl commands, which i need to limit based on role basis. Could some one guide me how can i achieve this??

  Hi
  For role based device admin control, you need to look at device command sets:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4a.html#wp737624
  Tasks involve
  1) Defining Network Device Groups
  2) Defining set of command sets
  3) For each group map NDGs to command sets
  Think of a command set as a set of permissions given to a particular role (group) for a specific resource (NDG)
  Darran

• Netscreen firewall authentication by Cisco ACS

  Since Netscreen firewall only supports RADIUS authentication, is Cisco ACS server able to support it? If yes, which version and where can I find more info about it?

  If it supports RADIUS then ACS should be able to support it.
  I belive the latest version of ACS is V6.33, you can download a trial version from this site.
  All the information you require should be here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
  HTH
  PJD