Cisco Secure ACS 4.0 Solution engine problem

Similar Messages

• Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.

  Hello,
  I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.x

  Hi,
  Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
  Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
  The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
  Regards,
  Karthik Chandran
  *kindly rate helpful post*

• Cisco Secure Access Control Server Solution Engine OR Cisco Secure Access Server ?

  Which product is really affected, the Cisco Secure Access Control Server Solution Engine which is a hardware applliance with software from 3.2 to 4.2 or the Cisco Secure Access Control Server Software appliance available for installing as a virtual machine into VMware ESX/ESXi 5.0 with 5.X software ?
  Thank you for clarifying
  Best regards
  Marco

  Hi Thomas,
  You can download ACS for windows 4.1 or 4.2 from the below listed link:
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval
  For ACS 5.x, please visit cisco.com
  Download software > Security  > Cisco Secure Access Control System 5.x  > Secure Access Control System Software
  HTH
  Regards,
  Jatin
  Plz rate helpful posts-

• Cisco Secure ACS 4.2 with Oracle

  hi there...
  Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
  The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
  My questions :
  1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
  2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
  Please advice.
  Thanks

  Microsoft SQL Server and Case-Sensitive Passwords
  If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
  For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
  For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
  Sample Routine for Generating a PAP Authentication SQL Procedure
  The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                           sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                           GO
                           CREATE PROCEDURE CSNTAuthUserPap
                           @username varchar(64), @pass varchar(255)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username
                           AND  csntpassword  = @pass )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                           GO
  Sample Routine for Generating an SQL CHAP Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                           and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                           GO
                           CREATE PROCEDURE CSNTExtractUserClearTextPw
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                           GO
  Sample Routine for Generating an EAP-TLS Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                           sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                           GO
                           CREATE PROCEDURE CSNTFindUser
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                           GO
  Reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

• Manage a Cisco Secure ACS Solution Engine?

  Hello,
  how can i manage/observe a 'Cisco Secure ACS Solution Engine'? Ich found no things like SNMP etc.
  regards
  Karsten

  Hi,
  you have no chance to control the ACS SE with snmp. We have one router, access via ACS and uses a script roboter to control the access to the router. If the access fails, we send us an email
  Bye Michael

• Adding Users on Cisco Secure ACS Solution Engine 3.3

  We have a large block of userids we need to add to our ACS 3.3 Solution Engine into the CiscoSecure User Database. When using the web-based GUI, it looks like you can only add one user at a time. Is there anyway to add users as a block with some type of command line, or is there a utility that will add users and also copy user options? It would be helpful if in the Add/Edit user panel, there was the ability to copy settings from a previously installed user definition.

  I'm not sure that csutil would setup all the parameters I need, so I would have to choose CSDBSync. Tacacs is used and not Radius. I need the user to initially be configured disabled, specify his/her real name and description, assign the user to a group, assign a PAP password and confirmation, use group settings for callback, client ip address assignment, and max sessions, establish a date to automatically disable the account, provide no enable privileges, and set a Tacacs+ Outbound password.

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Cisco ACS 4.2 Solutions Engine replacement advice

  Hi everyone,
  I am hoping to get some advice on an upcoming upgrade.  We currently have a Cisco ACS 4.2 Solutions Engine.  (That's the physical appliance).  It is coming to end of support and we are looking to replace.  Here is what we use it for today:
  1. TACACS+ AAA for all routers and switches.  Gives us great reporting.
  2. PEAP Authentication for our wireless network off of a 5508 Wireless Controller.
  3. Machine Access Restrictions for our Wireless network.  (Basically Machine Authentication)
  I believe that is all we use it for today.  That said, hoping to get some of your opinions on a replacement.
  Any advice or opinions are greatly appreciated.
  Thanks,
  Josh

  Hi Josh,
    To add up to the above post, You will have to undergo the migration process from going to ACS 4.2 to ACS 5.4.
  Here is the migration guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/migration/guide/Migration_support.html
  Regards
  Minakshi
  (Do rate the helpful posts )

• Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

  To Whomever Can Assist,
        I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

  Bradbryant.dhs,
  Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
  Internal user and ACS administrator accounts are completely different. 
  Adding administrator account
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
  Regards,
  Jatin Katyal
  ** Do rate helpful posts **

• Cisco ACS 4.2 Solutions Engine replacement

  Hi,
  Our ACS appliance (Cisco 1113) has died and it is not cost effective to get it replaced as it will only be used until the end of this year.
  Is it possible to get the tacacs software to install on a Windows server? How do I go about sourcing the software as the original documentation is no longer available? Will the fact that I have a defunct appliance be sufficient proof to get a copy of the software? We are currently running v4.1
  Thanks.

  Here is a path to download the Eval version of ACS 4.2 windows.
  Cisco.com > Downloads Home > Products >  Security > Access Control and
  Policy > Policy and Access Management > Cisco Secure Access Control
  Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access
  Control Server (ACS) for Windows-4.2.0.124 > scroll down to the bottom
  and you will see a file named
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  Installing ACS on windows
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html
  Once installed you can restore the previous backup on the windows server.
  Restoring ACS from a backup file
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/SCBasic.html#wp222758
  Jatin Katyal
  - Do rate helpful posts -

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

  Hello Everybody,
  I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
  I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
  Thanks in advance and regards....

  Hello Scott,
  Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
  Thanks and regards...

• Cisco Secure ACS wont' replicate

  Hello Community,
  I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
  They can both talk to each other, but the replication status is stuck in pending. See attachment.
  Any help will be greatly appreciated..
  Cheers
  Carlton

  Well that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
  If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server. 
  If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
  After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment.

• Troubleshooting Cisco Secure ACS on Windows - Q&A clarification.

  In a Cisco Press publication "Troubleshooting Cisco Secure ACS on Windows" (http://www.ciscopress.com/articles/article.asp?p=474238&seqNum=6&rl=1), I read the following question:
  How can I disable the users' option to change the password by using Telnet to access the router?
  It has an answer describing certain details. However, the question itself is not clear to me. Could someone explain them a little more clearly?
  Thanks.

  At the command prompt on a router its possible to start a password change request over TACACS to the ACS server.
  I think you enter an empty password twice as I recall.
  This can cause problems if users change their password on a "slave" ACS which is then replicated to from a "master" thus setting the password back to its pre-changed value.

• About Cisco secure ACS v3.0

  HI
  I have rebuilt the Tacac server for cisco secure ACS v3.0 and then retore all the data via the "data restore" under the system configuration.
  After rebuilt, it was only working for one day... and then it fails to authenticate users. I checked the event viewer, the error message is:
  ODBC authentication dll failed to initalise, code -1110
  and
  CSMon message: Problem Logging on to CSTacacs. Got as far as Starting Processing in Auth module
  any idea?
  Thanks

  Hi
  When I tried to view it, it says:
  This bug is no longer available in Bug Toolkit. Click bug ID for details.
  would you be able to provide more information for this bug please?
  Thanks
  kind regards
  Rachel