Cisco Secure 3.2 appliance
Hi All,
we are running Cisco secure on Unix 2.3(3) version. We have around 2000 dial in users. We have bought in 2 new Cisco secure appliance ver 3.2.
Can you pls let me know if you have any migration tools for migrating the users from Unix database to win database.
Appreciate all ur comments.
Thanks
Sumeeth
Unfortunately this is not a supported migration.
Similar Messages
-
Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.
Hello,
I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.xHi,
Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
Regards,
Karthik Chandran
*kindly rate helpful post* -
Hi Team ,
I have 2 Appliance from which I am not able to remove a particuler device from Network Device Group .
When I try to remove the the device following error is thrown
Failed to edit INMUM-VPE-T1-3rdFloor-3750-S.... Reason: The Host no longer exists.
Appliance is running on Version : Cisco Secure ACS4.2.0.124
Could any one come across Such issues . any one knows the solution .
Regards
VineethHello Vineeth
yes, you are can do through GUI.
On GUI :
1. ACS gui > network configuration > click "search" and click "search" again.
2. Complete list of all network device will appear. On top, you will see an option to "download".
Download the complete file.
Let me know if it helps.
thanks
Devashree Saha -
Features of Cisco Secure ACS Appliance
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
The questions I wasn’t able to answer are:
• Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
• What happens if the server(s) fail?
o Can already authorized users still work?
o Can known users still be authorized?
o Are unknown users still blocked?
• Is the ACS capable of authorizing users through routed networks or VPN tunnels?
• Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
• Is there (besides of the reports) some kind of status overview with the ACS?
• Which kinds of Attacks can the ACS (alone) prevent?
o Can it prevent MAC Spoofing?
o Can it prevent MAC Flooding?
o Can it prevent ARP Attacks?
o Can it prevent IP Spoofing?
o Can it eliminate rouge DHCP servers?
o Can it prevent STP Attacks
• And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to which the IP-Phone is connected blocked or only the unknown device?
Thanks for all answers.
Regards,
taouriSee inline answers:
The questions I wasn’t able to answer are:
• Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
Yes, as long as those devices support RADIUS and TACACS+ IETF standards. Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do. You'll need to get details from the specific vendor on their requirements to insure it'll work.
• What happens if the server(s) fail?
o Can already authorized users still work?
This is driven by the AAA client, not the ACS. In general, if it isn't reauthenticating the users, then yes, they'll still work
o Can known users still be authorized?
In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
o Are unknown users still blocked?
Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
• Is the ACS capable of authorizing users through routed networks or VPN tunnels?
Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
• Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
• Is there (besides of the reports) some kind of status overview with the ACS?
Yes, this is covered in the documentation for the appropriate ACS solution. Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
• Which kinds of Attacks can the ACS (alone) prevent?
ACS authenticates and authorizes users. It isn't in and of itself a device for prevention of the L2 attacks you list.
o Can it prevent MAC Spoofing?
o Can it prevent MAC Flooding?
o Can it prevent ARP Attacks?
o Can it prevent IP Spoofing?
o Can it eliminate rouge DHCP servers?
o Can it prevent STP Attacks
• And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to which the IP-Phone is connected blocked or only the unknown device?
This depends on how you configure the dot1x parameters on the port. In general, this is often configured in single-host mode with a voice vlan for the phone. The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication. There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html -
Hi all,
With the Base license, a Cisco Secure ACS 5.6 appliance or software virtual machine can support the deployment of up to 500 network access devices (NADs) such as routers and switches. These are not authentication, authorization, and accounting (AAA) clients. The number of network devices is based on the number of unique IP addresses that are configured.
So, when i have 1 firewall for vpn gateway, and using acs as an aaa server, how much network access device which is counted ? 1 or as many as vpn client connected to the firewall ?
500 network access device means concurrent connection or not ?ACS is based on the number of NADs (Network Access Devices) like switches, routers, ASAs, etc. So in your example, your Firewall will consume 1 license regardless of the total number of VPN sessions.
With ISE, the licenses are based on the total number of endpoints. So in your example, each VPN session will take a license.
I hope this helps!
Thank you for rating helpful posts! -
Reporting & Audit Compliance Solutions for Cisco Secure ACS
The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
Featured Products:
* aaa-reports! enterprise edition - Automated Reporting
The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
* csvsync - Automated ACS Database & Log File Collection
csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forumbump
-
Hi all,
another question, we have a Cisco Secure ACS appliance here, and would like to change its ip address, based on Cisco doc, this can be done thru the console, but we’re unable to login thru console, Below is the appliance info. any input would be appreciated.
Application Versions
Cisco Secure ACS 3.3.1.16
Appliance Management Software 3.3.1.16
Appliance Base Image 3.3.1.6
CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
-YLIf you are unable to login through the console make sure the baud rate is set to 115200 and then try again.
Also using hyperterminal instead of putty helps alot also.
Thanks,
Tarik -
Cisco Secure Access Control Server Solution Engine OR Cisco Secure Access Server ?
Which product is really affected, the Cisco Secure Access Control Server Solution Engine which is a hardware applliance with software from 3.2 to 4.2 or the Cisco Secure Access Control Server Software appliance available for installing as a virtual machine into VMware ESX/ESXi 5.0 with 5.X software ?
Thank you for clarifying
Best regards
MarcoHi Thomas,
You can download ACS for windows 4.1 or 4.2 from the below listed link:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval
For ACS 5.x, please visit cisco.com
Download software > Security > Cisco Secure Access Control System 5.x > Secure Access Control System Software
HTH
Regards,
Jatin
Plz rate helpful posts- -
Cisco Secure ACS license question.
On the Cisco ACS server under the internal identity stores… is “users” and “host” counted against the "base server license" or “network device license”?
Guess you are running ACS 5.x
With the Base license, Cisco Secure ACS 5.3 appliances or software virtual machines can support deployments of up to 500 network devices (authentication, authorization, and accounting [AAA] clients). The number of network devices is based on how many unique IP addresses are configured. This is not a limit for each individual appliance or instance, but a deployment-wide limit that applies to a set of ACS instances (primary and secondary) that are configured for replication.
The optional Large Deployment add-on license allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment as it is shared by all instances.
For more info:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-689829.html
~BR
Jatin Katyal
**Do rate helpful posts** -
Hi,
I'm looking into Cisco Security Manager. From what I understand you can monitor and manage Cisco security appliances. I'm interested in the monitoring of our Cisco ASAs - specifically, monitoring VPN sessions and their trending over months at a time and I would like to monitor other Cisco devices on the network for link problems/performance and such - I don't want to use Cisco Security Manager as a management point. Would Cisco Security Manager not be the right tool for this?
We have SolarWinds and I've heard that you can assign UnDPs(Device Pollers) to devices you want to monitor, including ASAs and these pollers can give you trending for VPN sessions with graphing. I just want to make the most of our budget dollars.
Any advice?
Thanks, Pat.CSM 4.3 and above can be used to monitor VPN sessions on Cisco ASAs. You can definitely use CSM as a monitoring only solution for ASAs (without using it for management). You can also explicitly disable policy change privileges for all admins so they do not modify stuff by mistake. Note however that CSM is primarily focused on end-to-end management scenarios (including policy change, troubleshooting, reporting, etc). So you may not find all the bells and whistles in CSM for monitoring scenarios that you may find with some of the pure monitoring only solutions.
-
Cisco Secure ACS 4.2 with Oracle
hi there...
Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco 1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113 Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
The problem that we are facing right now is password that store in oracle database is in encrypted format. Base feedback from our database administrator, the encryption is done by oracle - application layer and cannot be decrypt back. In Oracle they call it "Oracle Stored Procedures"
My questions :
1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
Please advice.
ThanksMicrosoft SQL Server and Case-Sensitive Passwords
If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
Sample Routine for Generating a PAP Authentication SQL Procedure
The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
GO
CREATE PROCEDURE CSNTAuthUserPap
@username varchar(64), @pass varchar(255)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username
AND csntpassword = @pass )
SELECT 0,csntgroup,csntacctinfo,"No Error"
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
GO
Sample Routine for Generating an SQL CHAP Authentication Procedure
The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw')
and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
GO
CREATE PROCEDURE CSNTExtractUserClearTextPw
@username varchar(64)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
GO
Sample Routine for Generating an EAP-TLS Authentication Procedure
The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and
sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
GO
CREATE PROCEDURE CSNTFindUser
@username varchar(64)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error"
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
GO
Reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420 -
Recovery for cisco security mars
Hello
Post me a document in order to perform recovery for cisco security mars 25 series
ThanksIt sounds like there may either be a problem with the RAID controller [configuration] or, though unlikely a hardware failure. You'd need to check the RAID controller BIOS to see if there's a hard disk drive problem or RAID configuration problem. Also check RAID controller is damaged as disks are not recognized at all.
Rebuild the Raid and reimage the appliances. -
Remote desktop connection blocked by cisco security agent
Hi,
I have a deployment of a Management Center for Cisco Security Agents 6.0.2 and i just noticed that the agent is blocking the remote desktop connection to the hosts, the agent installed on the server shows me the event but i'm not able to see it logged on the Management Center (i can see logged any other events), i'm not sure what rule should i enable in order to allow this connection.
Do you have any ideas???
Thanks in advance...Hi,
Remote desktop connection uses the highest possible security level encryption method between the source and destination.
In Windows Vista or later versions of Windows, the remote desktop connection uses the SSL (TLS 1.0) Protocol and the encryption is Certificate-based.
TS Gateway can also make the connection more secure, enhance security, see detailed information in this link
http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx
Don't forget some known offical antii-virus software, they can also protect the connetion from network attack.
Yolanda Zhu
TechNet Community Support -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
Link does not work for
End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
How do we get Cisco to fix?
see attachmentGive it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.
Maybe you are looking for
-
Moving iTunes library on to a portable hard drive and then my new laptop?
I am getting a new PC laptop and I want to move my entire iTunes library from my old PC to a portable hard drive and then eventually put it on my new laptop. How do I do this without loosing all my play counts, play lists etc.?
-
why is the ipad mini screen so delicate I just got my ipad mini yesterday and it fell of a stand I bought and now the screen is cracked
-
Need help in Conversion routines
Hi, In table crmd_order_index <b>there is a field GUID of data type CRMD_OBJECT_GUID and domain SYSUUID which is RAW 16.</b> <b>and in the another table a thr is a field OBJKEY of data type char 70.</b> When i execute the code <b>SELECT guid
-
Option to be selected in J1IH for settling Supplementary Invoice
Dear All, Please guide me, what is the option to be selected in the T code J1IH for settling Supplementary Invoice Excise Adjustments. In the initial screen, I am selecting "Other Adjustments". I hope this is the correct option in case we are creatin
-
Hello, everyone. In linux, adobe runs slow, I use adobe 8.0, and I have to wait for one second just page-up and page-down. If I search for some keywords in the document, I have to wait for more time. Is there any tip to speed up the adobe speed? Or i