Cisco ACS v4.1 - User Export incl. Authentication Method

Hi,
I wish to export a list of all our users, to include their group and more importantly, their password authentication method. We have a combination users that authenticate using both ACS internal database and also external RSA Secure ID database. Basically I need to identify all users who are NOT authenticating against Secure ID.
I ran CSUtil.exe -u   , however this only gives me the user & group, doesn't list the authentication method per user.
Thanks,
Brian

Brian,
Unfortunately, CSUtil.exe will only list the users & group they are a member of. So the simple answer is no.
If the goal is to set everyone to use token authentication, you could get export a list of all users with CSUtil.exe, then use the client import option to update database used for authentication of all users. Here is the url for documentation on this and other CSUtil.exe options.
=====================
Via Csutil
Created a file in text format
ONLINE
UPDATE::EXT_SDI
ADD::EXT_SDI:PROFILE:
DELETE:
csutil -i
=====================
If you feel adventerous, you could explore the contents of the dump.txt. by running csutil -d
This file does contain the information you are looking for. However, there is no documentation or support available for reading or decrypt it.,
Regards,
Jatin
Do rate helpful posts-

Similar Messages

  • Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  • RSA SecurID and Cisco ACS integration for user(s) with enable mode

    I thought I had this problem figured out but I guess not.
    I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
    router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
    I use tacacs+ authentication for logging into the Cisco router
    such as telnet and ssh. In the ACS I use "external user databases"
    for authentication which proxy the request from the ACS over
    to the RSA SecurID Server. I installed RSA Agents with
    sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
    to be "RSA_SecurID" group. In the "External user databases" and
    "database configurations" I assign SecurID to this "RSA_SecurID"
    group.
    Everything is working fine. In the "User Setup" I can see dynamic
    user test1, test2,...testn listed in there as "dynamic users". In
    other words, I can telnet into the router with my two-factor
    SecurID.
    The problem is that if test1 wants to go into "enable" mode with
    SecurID login, I have to go into "test1" user setting and select
    "TACACS+Enable Password" and choose "Use external database password".
    After that, test1 can go into enable mode with his/her SecurID
    credential.
    Well, this works fine if I have a few users. The problem is that
    I have about 100 users that I need to do this. The solution is
    clearly not scalable. Is there a setting from group level that
    I can do this?
    Any ACS "experts" want to help me out here? Thanks.

    That is not what I want. I want user "test1" to be able to do this:
    C
    Username: test1
    Enter PASSCODE:
    C2960>en
    Enter PASSCODE:
    C2960#
    In other words, test1 user has to type in his/her RSA token password to get
    into exec mode. After that, he/she has to use the RSA token password to
    get into enable mode. Each user can get into "enable" mode with his/her
    RSA token mode.
    The way you descripbed, it seemed like anyone in this group can go directly
    into enable mode without password. This is not what I have in mind.
    Any other ideas? Thanks.

  • Need to Create More Options in Cisco ACS 5.2 User section

    Hi Team,
    I Need to create more options on Cisco ACS 5.2 under internal identity store in users. please help how to do add, default not showing all.
    i have seen on internet. attaching doc.
    Regards
    MR

    To create additional attributes for internal users do the following:
    - go to System Administration > Configuration > Dictionaries > Identity > Internal Users
    - Press Create to define the additional attributes you require
    For each attribute can
    - define the type
    - give a default value. This will be applied to all existing users and appear as default when new user is created
    - indicate whether the attribute is required and must be defined for each user
    - define a policy condition. If define such a condition will appear as an option when customize rules in a policy

  • User authentication in Cisco ACS by adding external RADIUS database

    Hi,
    I would like to configure the below setup:
    End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
    Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
    ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
    Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
    Any help on this would be really grateful to me.
    Thanks and Regards,
    Rahul.

    Thanks Ajay,
    As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
    Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
    By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
    -> In external user databases, i have added a external RADIUS token server.
    -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
    -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
    Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
    Here is what i found in "Failed attempts" logs under Reports and activities.
    Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
    02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    Filtering is not applied.
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    02/28/2012
    00:42:18
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:41:33
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:31:52
    Unknown NAS
    Am i missing any thing in configuration side with respect to ACS?
    Thanks

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • Configure Nexus 7k for TACACS in Cisco ACS

    Hi,
    Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
    Directory.
    Please advise if the below config are acceptable:
    feature tacacs+
    tacacs-server key KEY
    tacacs-server timeout 20
    tacacs-server host 1.1.1.1 key KEY
    aaa group server tacacs+ TEST
        server 1.1.1.1
        use-vrf management
        source-interface mgmt0
    tacacs-server directed-request
    aaa authentication login default group TEST
    aaa authentication login console none
    aaa authorization commands default group TEST
    aaa accounting default group TEST
    aaa authentication login error-enable

    Hi,
    What OS version are u using on your servers?
    Craig

  • Cisco ACS error codes

    Hi,
    I was wondering if anyone could possibly tell me the usual cause of the following error :
    Windows workstation not allowed
    It keeps coming up for one of our new wireless workstation even though it sometimes authenticates fine.
    thanks,
    Matt

    Matt,
    To satisfy Windows requirements for authentication requests, Cisco Secure ACS must specify the Windows workstation that the user is attempting to log into. Because Cisco Secure ACS cannot determine this information from authentication requests sent by AAA clients, it uses a generic workstation name for all requests. The workstation name used is "CISCO".
    In the local domain and in each trusted domain and child domain that Cisco Secure ACS will
    use to authenticate users, ensure both of the following:
    •A computer account named "CISCO" exists.
    •All users to be authenticated by Windows have permission to log into the computer named
    "CISCO".
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html
    Regards,
    ~JG
    Do rate helpful posts

  • Cisco ACS 5.3 multiple AD domains

    Hello everyone
    I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
    Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
    Thanks,
    Markus

    Markus,
    If you are using peap mschapv2 then you can not use LDAP.
    Here is the link when it comes authentication protocol and database support -
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1014889
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

    Hi There
    I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
    Regards,
    Ram
    +6-012-2918870

    Hi,
    That is not possible.
    You cannot push ACLs into the NAC manager.
    If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
    Using Radius attributes you can then map users to Roles.
    Please take a look into this:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • CS-MARS user authentication using Cisco ACS

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

  • Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

    Hi,
    I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
    ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
    Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
    I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
    tacacs-server key 7 "xxxxxxxxxxxxx"
    aaa group server tacacs+ tac_admin
      server xx.xx.xx.xx
    aaa authentication login default group tac_admin local
    aaa authentication login console group tac_admin local
    aaa accounting default group tac_admin

    Hi,
    Since the ACS is receiving the request.
    Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
    tacacs-server host x.x.x.x key 7 "xxx"
    aaa group server tacacs+  tac_admin
       server x.x.x.x
    aaa authentication login default group  tac_admin local
    aaa authentication login console group  tac_admin local 
    aaa accounting default group x.x.x.x
    On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
    1. Shell  (exec) enable
    2. Privilege level 15
    3. Custom attributes:
               shell:Admin*Admin default-domain
        if you have additional  context add next line
              shell:mycontext*Admin  default-domain
    After  loging to ACE and issuing sh users command you should see following
    User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
    *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Cisco ACS 4.2.1 authentication problem

    We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

    Hi there,
    There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
    Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
    Let me know if this helps.

  • Supported devices/users on Cisco ACS 4.2

    Hi,
    Does anyone know how many devices/users does Cisco ACS  4.2 support ?
    I need to know this information for a very large deployment.
    Regards,           

    Hello,
    The following items are general answers to common system-performance questions. The performance of ACS in your network depends on your specific environment and AAA requirements.
    •Maximum users supported by the ACS internal database—There is no theoretical limit to the number of users the ACS internal database can support. We have successfully tested ACS with databases in excess of 100,000 users. The practical limit for a single ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated ACS instances.
    •Transactions per second—Authentication and authorization transactions per second depend on many factors, most of which are external to ACS. For example, high network latency in communication with an external user database lowers the number of transactions per second that ACS can achieve.
    •Maximum number of AAA clients supported— ACS has been tested to support AAA services for approximately 50,000 AAA client configurations. This limitation is primarily a limitation of the ACS memory.
    System Performance Specification.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp827669
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

Maybe you are looking for

  • Another Media Processor 8100 Upgrade Issue

    Hi, A few days ago I posted here about a problem upgrading a Media Processor 8100 (from 6.2.1 to 6.2.4). I was able to solve my problem, but now I've encountered a different problem upgrading a second 8100 box. After I ran the upgrade through the web

  • Rumor: CrossOver doesn't work properly on Leopard?

    I've been reading around a lot because i am going to buy a new Imac 24 inch with 2.8 Ghz, preinstalled with Leopard... and i've discovered that the planned program i was going to buy called CrossOver did not work properly with Leopard. What have you

  • New LCD monitor resolution

    My new Viewsonic LCD wants a resolution of 1680x1050. How do I set this in xorg.config or is it not possible.

  • [solved] lvm error loading libudev

    Hi, After updating I can't boot my arch linux because lvm volumes can't be found. "/sbin/lvm: error while loading shared libraries: libudev.so.0: cannot open shared object file: No such file or directory" There is only a libudev.so.1 in /usr/lib/ Som

  • How can i delete a wifi network?

    how can i delete a wifi network?