Cisco ACS v5.3 - Unable to define Device Filter
Dear Community!
I'm new to ACS version 5 family and I would like to ask if anybody has already experienced the following strange issue with ACS version 5.3.0.40 GUI: I have several AAA clients already defined in the "Network Devices and AAA Clients" menu and I need to create a new device filter in the
"Policy Elements > ... > Session Conditions > Network Conditions > Device Filters"
menu.
But unfortunately after clicking "Create" button, I cannot use any types of device filters :-( After filling in the device IP / name / or group and clicking "Go" button, nothing happens, the I always get no results, so I cannot select any device to be included into the device filter.
For example, I have an IPS device named "DC1IPSC010" and I'm trying to add this device to a new device filter with no luck.
What I have already tried:
Using full text which equals to DC1IPSC010.
Using partial text containing IPS.
Using Internet Explorer 9-10-11
Using FireFox v4.x and the latest v32 versions
Clearing my Java temporary files cache
Using different operating systems
My installed Java version is Java 1.7 update 51.
Has anybody experienced the same issue with this version? Are there any workarounds for this?
Many thanks in advance!
BR
Bela
I know this is a 2 year old thread, but you just saved me from banging my head against a wall.
GUI credentials of super-admin should be in bold somewhere in the documentation.
Similar Messages
-
Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues
Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.
I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.
When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).
So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.
Has anyone ever run into this problem? Please Help!
Thanks,
neocecNeocec,
Yes here is the documentation that provides insight to the this (they make reference to the = and the *.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433
Thanks,
Tarik -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Supported devices/users on Cisco ACS 4.2
Hi,
Does anyone know how many devices/users does Cisco ACS 4.2 support ?
I need to know this information for a very large deployment.
Regards,Hello,
The following items are general answers to common system-performance questions. The performance of ACS in your network depends on your specific environment and AAA requirements.
•Maximum users supported by the ACS internal database—There is no theoretical limit to the number of users the ACS internal database can support. We have successfully tested ACS with databases in excess of 100,000 users. The practical limit for a single ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated ACS instances.
•Transactions per second—Authentication and authorization transactions per second depend on many factors, most of which are external to ACS. For example, high network latency in communication with an external user database lowers the number of transactions per second that ACS can achieve.
•Maximum number of AAA clients supported— ACS has been tested to support AAA services for approximately 50,000 AAA client configurations. This limitation is primarily a limitation of the ACS memory.
System Performance Specification.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp827669
~BR
Jatin Katyal
**Do rate helpful posts** -
Unable to generate reports in Cisco ACS 4.2
Hi All,
I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
I have installed Cisco ACS 4.2 on windows 2003 server.
aaa-server test protocol tacacs+
aaa-server test (inside) host X.X.X.X
key **********
no aaa authentication http console AAA LOCAL
aaa authentication http console test LOCAL
no aaa authentication ssh console AAA LOCAL
aaa authentication ssh console test LOCAL
aaa authentication telnet console test LOCAL
aaa authentication enable console test LOCAL
aaa accounting enable console test
aaa accounting ssh console test
aaa accounting telnet console test
aaa accounting command test
Awaiting for soln.
Thanks in advance.
Regards,
Amit.I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
Look in your console log. If you see something like:
Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
-Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
-increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
and add something like this:
kern.sysv.shmmax=167772160
kern.sysv.shmmin=1
kern.sysv.shmmni=32
kern.sysv.shmseg=8
kern.sysv.shmall=65536
See also:
http://forum.servoy.com/viewtopic.php?p=47461 -
Unable to integrate WLC with cisco ACS
Hi,
I am not able to integrate Cisco Tacas with WLC
Below are the error logs in Juniper firewall
WLC IP: 10.210.126.133
Cisco ACS: 10.116.45.131
Date/Time
Source Address/Port
Destination Address/Port
Translated Source Address/Port
Translated Destination Address/Port
Service
Duration
Bytes Sent
Bytes Received
Close Reason
2013-11-04 16:31:03
10.210.126.133:49098
10.116.45.131:49
10.210.126.133:49098
10.116.45.131:49
TCP PORT 49
2 sec.
591
428
Close - TCP FIN
2013-11-04 16:31:03
10.210.126.133:51759
10.116.45.131:49
10.210.126.133:51759
10.116.45.131:49
TCP PORT 49
2 sec.
525
326
Close - TCP FIN
2013-11-04 16:31:09
10.210.126.133:51759
10.116.45.131:49
10.210.126.133:51759
10.116.45.131:49
TCP PORT 49
9 sec.
475
238
Close - TCP FIN
2013-11-04 16:31:09
10.210.126.133:49098
10.116.45.131:49
10.210.126.133:49098
10.116.45.131:49
TCP PORT 49
9 sec.
519
318
Close - TCP FIN
Pls suggest further whether any changes needs to be done in any end
Cisco ACS Srver
11/04/2013
16:31:01
Author failed
ads.shalder
DCN-BANG2&BANG5-RW
127.0.0.1
Service denied
service=ciscowlc protocol=common
10.210.126.133
ads.shalder
No
1
10.210.126.133
Pls suggest further
Br/SubhojitHi,
we are getting this error on WLC side debug
(Cisco Controller) >*tplusTransportThread: Nov 05 09:51:32.683: Forwarding request to 10.116.45.131 port=49
*tplusTransportThread: Nov 05 09:51:32.689: tplus auth response: type=1 seq_no=2 session_id=5b675ca1 length=16 encrypted=0
*tplusTransportThread: Nov 05 09:51:32.689: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Nov 05 09:51:32.689: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Nov 05 09:51:32.689: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 05 09:51:32.700: tplus auth response: type=1 seq_no=4 session_id=5b675ca1 length=6 encrypted=0
*tplusTransportThread: Nov 05 09:51:32.700: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Nov 05 09:51:32.700: Forwarding request to 10.116.45.131 port=49
*tplusTransportThread: Nov 05 09:51:32.705: author response body: status=16 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 05 09:51:32.705: Tplus authorization for ads.shalder failed status=16
WLC hardware is: AIR-CT2504-K9V01
Br/Subhojit -
How to hide line console parameters through Cisco ACS
Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
ThanksThis thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
Cisco ACS 5.1 Tacacs with Juniper Srx 210
Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards -
Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???
Hi All,
I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
Thanks!I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
1. Create a End Station Filter, here configure the user's IP
2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
3. Define your rule with the required result -
Domain controller configuration in Cisco ACS 4.2
Hi all,
We are having a long pending ticket one of our customer has raised with us.
Problem is related to cisco ACS version 4.2.
Customer has raised a concern that while authenticating with the ACS requests are reaching to Secondary domain controller instead of Primary domain controller.
We do not have the access of the physical server, but our server team have.
We do have the Gui page access by http://<ACS IP>:2002
In our ACS external data base is configured with the domain name, there is no IP related information for the Domain controller. I think that can be confiured in physical server. In short, we are having windows server and running ACS software on top of that.
How can we proove this to the customer that requests for Network device authentication is going to Primary domain controller and not to the secondary domain controller.
Please help us out. We tried before with Server team and given some command like %logonserver% and was indicating Primary domain controller IP. Is there any other way to prove this.
Regards,
Kalpesh ModiThe logs receiving is not in proper format .unable to understand the details in logs .Please find the below example
"Feb 20 12:48:40 ACS0 CSCOacs_Passed_Authentications: 0000412469 3 0 2012-02-20 12:48:40.225 +04:00 0188387558 5200 NOTICE Passed-Authentication: Authentication succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=868, Device IP Address=x.x.x.x, UserName=frad.cole, Protocol=Radius, RequestLatency=24, NetworkDeviceName=dxb-palmj-pop-s93-bds1a, User-Name=frad.cole, NAS-IP-Address=x.x.x.x, NAS-Port=0, Service-Type=Administrative, Framed-Protocol=X.75 Synchronous, Framed-IP-Address=x.x.x.x, Login-IP-Host=x.x.x.x, NAS-Identifier=Dxb-PalmJ-POP-S93-BDS-1A, NAS-Port-Type=-1, NAS-Port-Id=slot=0\;subslot=0\;port=0\;vlanid=0, AcsSessionID=OACS0/109447559/11612656, AuthenticationIdentityStore=AD1, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Radius Rules, SelectedAuthorizationProfiles=JUNIPER-Activation-Ent, SelectedAuthorizationProfiles=Radius-CiscoAVPair-lvl-1, IdentityGroup=IdentityGroup:All Groups:Migrated_Group:Enterprise-Activation, Step=11001 "
Is there any other setting to get the logs in proper fromat .
Do we need to change the "Facility Code:Local 6" to some other values .
Kindly advice . -
Hi
I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
CAn you provide a suitable solution for this ?
ThanksHi,
The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
Regards,
Vivek -
Cisco ACS questions for new deployment
Hi all, I am designing a new Cisco ACS deployment to handle AAA services for all our network devices. I have read the user guides and I understand the different deployment scenario's. However, what i could not find in the user guide, were answers to the questions below...
Number of AAA clients, using command authorisation, that a single ACS server can handle?
Does a Large Add-On license (for more than 500 nodes) need to be purchased for every ACS server, or does one license cover the whole deployment?
How is AAA load-balancing performed? Does each AAA server need to be defined individually on every Network device? Or is there some intelligence build in to the AAA servers so that they can distribute the load themselves? Or can a load balancer be used like you can with Cisco ISE PSN nodes?
Thanks
MarioSupported number of clients depends on License for example
The base license is required for all deployed software instances and for all appliances. The base license enables you to use all ACS functions except license-controlled features, and it enables standard centralized reporting features.
The base license:
Is required for all primary and secondary ACS instances.
Is required for all appliances.
Supports deployments that have a maximum of 500 NADs.
The following are the types of base licenses:
Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 NADs.
Evaluation—Expires 90 days from the time the license is issued. Supports deployments that have a maximum of 50 NADs. -
ACS 5.3 - Error when changing Device group or Location
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.228
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: ACS1
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.3.0.40
Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs
ACS role: PRIMARY
Process 'database' running
Process 'management' running
Process 'runtime' running
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running
MelDoes this happen to small number of network devices or the whole set
If the former then I found the following CDETS
CSCtw59271 Random Network Device corruption after upgrade from ACS 5.2 to 5.3
Which includes the following workaround
Symptom 1: Delete and re-add the AAA client
Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
>>>> Use case where TACACS+ was used
There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch -
CISCO ACS, How to Limit User Session ?
Hi Guys,
hope you would help me,
how to limit the user session in ACS 5.x ?
i'm aware the menu on
Access Policies >Max User Session Policy > Max Session Group Settings
i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
so it means the user only could open 1 connect at the same time right?
the problem, it didn't works.
i had 1 ACS 5.5
2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
(let's call it R1 and R2 )
i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
i already include :
radius-server attribute 44 include-in-access-req
radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
on the line vty :
accounting connection acs
login authentication acs
am i missing something?
also, is this feature works on tacacs+ too?
Thanks,Dash,
You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
Thanks,
Tarik Admani -
Hi Everyone,
I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
Connectivity between them is ok, same subnets. I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory. Both of these ACSes are used to authenticate my network devices.
Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending".
I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
Anyone knows why? Is this a "bug"?
Thanks in advance.Hi,
If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall.
Maybe you are looking for
-
AIR for Android - StageWebView and Video (YouTube iFrame)
Hey all, I've been converting an iOS tablet app over to Android and I've noticed the StageWebView has some curious limitations, especially with anything that accessed the GPU (video, etc). At first the embedded YouTube (iframe) videos would just show
-
Macbook pro retina battery won't charge fully
Hello, Im not sure why but my 1 year old macbook pro retina 15inch won't fully charge. It gets to a charge between 75% and 88% and it will at that point stop charging. I have attached an image below that shows how the battery has stopped charging. I
-
For the second time this week i don't get any sound from my iPad 2. Who has the solution for this problem?
-
I got a new phone, I also changed out my hard drive in Mac. Missing auiobooks.
I got a new phone, I also changed out my hard drive in my mac. Both were backed up. The phone was backed up first to the hard drive and then the hard drive to another source. Anyway, I am now missing hundreds of dollars worth of audio books. How can
-
I want to learn SAP IS-Retails Implementation. So i would like to know what is basic requirment and if step by step guide. what are the pro n cons there to learn sap is-retails I am a post graduate in Commerce. Please suggest Regards Vidya