Cisco Secure ACS Appliance - Failed to edit ....Reason: The Host no longer exists.
Hi Team ,
I have 2 Appliance from which I am not able to remove a particuler device from Network Device Group .
When I try to remove the the device following error is thrown
Failed to edit INMUM-VPE-T1-3rdFloor-3750-S.... Reason: The Host no longer exists.
Appliance is running on Version : Cisco Secure ACS4.2.0.124
Could any one come across Such issues . any one knows the solution .
Regards
Vineeth
Hello Vineeth
yes, you are can do through GUI.
On GUI :
1. ACS gui > network configuration > click "search" and click "search" again.
2. Complete list of all network device will appear. On top, you will see an option to "download".
Download the complete file.
Let me know if it helps.
thanks
Devashree Saha
Similar Messages
-
Failed to edit "RouterHostname" Reason:The Host no longer exist
Hi all,
I trying to delete aaa client "RouterHostname" from asc Ver4.0 and getting a folowing messege:
ailed to edit "RouterHostname" Reason:The Host no longer exist.
Is anybody know how to delete this router from asc ?
TUHafez,
This happens due to data corruption. You need to open a tac case to fix it.
Thanks,
~JG -
Features of Cisco Secure ACS Appliance
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
The questions I wasn’t able to answer are:
• Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
• What happens if the server(s) fail?
o Can already authorized users still work?
o Can known users still be authorized?
o Are unknown users still blocked?
• Is the ACS capable of authorizing users through routed networks or VPN tunnels?
• Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
• Is there (besides of the reports) some kind of status overview with the ACS?
• Which kinds of Attacks can the ACS (alone) prevent?
o Can it prevent MAC Spoofing?
o Can it prevent MAC Flooding?
o Can it prevent ARP Attacks?
o Can it prevent IP Spoofing?
o Can it eliminate rouge DHCP servers?
o Can it prevent STP Attacks
• And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to which the IP-Phone is connected blocked or only the unknown device?
Thanks for all answers.
Regards,
taouriSee inline answers:
The questions I wasn’t able to answer are:
• Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
Yes, as long as those devices support RADIUS and TACACS+ IETF standards. Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do. You'll need to get details from the specific vendor on their requirements to insure it'll work.
• What happens if the server(s) fail?
o Can already authorized users still work?
This is driven by the AAA client, not the ACS. In general, if it isn't reauthenticating the users, then yes, they'll still work
o Can known users still be authorized?
In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
o Are unknown users still blocked?
Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
• Is the ACS capable of authorizing users through routed networks or VPN tunnels?
Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
• Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
• Is there (besides of the reports) some kind of status overview with the ACS?
Yes, this is covered in the documentation for the appropriate ACS solution. Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
• Which kinds of Attacks can the ACS (alone) prevent?
ACS authenticates and authorizes users. It isn't in and of itself a device for prevention of the L2 attacks you list.
o Can it prevent MAC Spoofing?
o Can it prevent MAC Flooding?
o Can it prevent ARP Attacks?
o Can it prevent IP Spoofing?
o Can it eliminate rouge DHCP servers?
o Can it prevent STP Attacks
• And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to which the IP-Phone is connected blocked or only the unknown device?
This depends on how you configure the dot1x parameters on the port. In general, this is often configured in single-host mode with a voice vlan for the phone. The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication. There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html -
Reporting & Audit Compliance Solutions for Cisco Secure ACS
The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
Featured Products:
* aaa-reports! enterprise edition - Automated Reporting
The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
* csvsync - Automated ACS Database & Log File Collection
csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forumbump
-
Hi all,
another question, we have a Cisco Secure ACS appliance here, and would like to change its ip address, based on Cisco doc, this can be done thru the console, but we’re unable to login thru console, Below is the appliance info. any input would be appreciated.
Application Versions
Cisco Secure ACS 3.3.1.16
Appliance Management Software 3.3.1.16
Appliance Base Image 3.3.1.6
CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
-YLIf you are unable to login through the console make sure the baud rate is set to 115200 and then try again.
Also using hyperterminal instead of putty helps alot also.
Thanks,
Tarik -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.
Hello,
I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.xHi,
Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
Regards,
Karthik Chandran
*kindly rate helpful post* -
Patch rollup for Cisco Secure ACS 4.2 fails.
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
ThanksThanks for the feedback. I attempted the patch rollup install again and it failed in the same place - on the database upgrade. I did think of one thing. Do I need to have my antivirus/protection services disabled prior to installing the rollup?
Also my versions are as follows:
Server OS - Windows Server 2003 R2
Cisco Secure ACS - 4.2.(0) Build 124
Thanks,
Richard Jaehne -
Cisco Secure ACS with UCP assistance and enable password
I am running Cisco Secure ACS version 4.2 running on a
Standalone Windows 2003 Enterprise 2003with the lastest
windows service pack and update. Secure ACS is running
fine and I can authenticate with Cisco routers and
switches. The Windows 2003 server is also running Microsoft
IIS Server. In other words, the IIS server and Cisco
Secure ACS is running on the same windows 2003 server.
I am trying to get Cisco User-Changeable password to work
with Cisco Secure ACS. I followed the release notes lines
by lines and the work around provided below:
Also server require more privileges for the internal windows user that runs CSusercgi.exe.
The name of the windows user that runs UCP is IUSR_<machine_name>.
Workaround steps:
1) Install UCP 4 on a machine that runs IIS server.
2) Open IIS manager
3) Locate Default Web Site
4) Double click on the virtual name 'securecgi-bin'
5) Right click on CSusercgi.exe and choose Properties
6) Choose 'File Security' tab
7) Choose 'Edit' in 'Authentication and access control' area
8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
password (make sure that 'Integrated Windows authentication' is checked)
I still can NOT get this to work. I got this error:
It says:
The page cannot be found
The page you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I modified everything in the Windows 2003 to be "ALLOWED" by
EVERYONE. In other words, there are NO security on the windows 2003.
It is still NOT working.
The other question I have is that can Cisco UCP allow user
to change his/her enable password?
Can someone help? Thanks.Yes bastien,
Thank you.
But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
I've given it several time; also going through Administrator account with administrative credentials but it always failed.
Any suggestions/solution/?
This time many thanks in advance.
Regards
Mehdi Raza -
Hi all,
With the Base license, a Cisco Secure ACS 5.6 appliance or software virtual machine can support the deployment of up to 500 network access devices (NADs) such as routers and switches. These are not authentication, authorization, and accounting (AAA) clients. The number of network devices is based on the number of unique IP addresses that are configured.
So, when i have 1 firewall for vpn gateway, and using acs as an aaa server, how much network access device which is counted ? 1 or as many as vpn client connected to the firewall ?
500 network access device means concurrent connection or not ?ACS is based on the number of NADs (Network Access Devices) like switches, routers, ASAs, etc. So in your example, your Firewall will consume 1 license regardless of the total number of VPN sessions.
With ISE, the licenses are based on the total number of endpoints. So in your example, each VPN session will take a license.
I hope this helps!
Thank you for rating helpful posts! -
Advice for Buying Cisco Secure ACS 3.3 for Windows
Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
Hope someone will helpHi,
This is all what you require:
Supported Operating System
Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
Windows 2000 Server, with Service Pack 4 installed
Windows 2000 Advanced Server, with the following conditions:
with Service Pack 4 installed
without features specific to Windows 2000 Advanced Server enabled
Windows Server 2003, Enterprise Edition
Windows Server 2003, Standard Edition
Note The following restrictions apply to support for Microsoft Windows operating systems:
We have not tested and cannot support the multi-processor feature of any supported operating system.
We cannot support Microsoft clustering service on any supported operating system.
Windows 2000 Datacenter Server is not a supported operating system.
Please refer to the following link for more information:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
Thanx & Regards -
Cisco Secure ACS license question.
On the Cisco ACS server under the internal identity stores… is “users” and “host” counted against the "base server license" or “network device license”?
Guess you are running ACS 5.x
With the Base license, Cisco Secure ACS 5.3 appliances or software virtual machines can support deployments of up to 500 network devices (authentication, authorization, and accounting [AAA] clients). The number of network devices is based on how many unique IP addresses are configured. This is not a limit for each individual appliance or instance, but a deployment-wide limit that applies to a set of ACS instances (primary and secondary) that are configured for replication.
The optional Large Deployment add-on license allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment as it is shared by all instances.
For more info:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-689829.html
~BR
Jatin Katyal
**Do rate helpful posts** -
Cisco Secure ACS wont' replicate
Hello Community,
I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
They can both talk to each other, but the replication status is stuck in pending. See attachment.
Any help will be greatly appreciated..
Cheers
CarltonWell that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server.
If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment. -
Manage a Cisco Secure ACS Solution Engine?
Hello,
how can i manage/observe a 'Cisco Secure ACS Solution Engine'? Ich found no things like SNMP etc.
regards
KarstenHi,
you have no chance to control the ACS SE with snmp. We have one router, access via ACS and uses a script roboter to control the access to the router. If the access fails, we send us an email
Bye Michael -
User $enable15$ in Cisco Secure ACS
Hi all,
I have a Cisco Secure ACS server, by default it has a username called "$enable15$"; I am using TACACS as the authentication protocol.
The question is if I need the $enable15$ user configured in the ACS server even if I am using TACACS as the authentication protocol. I want to delete it but I am not sure if it is possible.
regards
Regards.Group Setup, select the group and click on edit settings and scroll down to "Cisco IOS/PIX 6.x RADIUS Attributes" and enable "cisco-av-pair" and enter shell:priv-lvl=15.
Maybe you are looking for
-
How can I display the sidebar on my desktop?
I just migrated to Lion from Snow Leopard. I used to see a sidebar on my desktop – by "desktop" I mean the initial page that displays for "Finder" – the one with wallpaper. That way I had a list of shortcuts (in the sidebar) on the left side of the
-
I purchased an album yesterday- less than half the songs play from iTunes or on my ipod- I can't re-download to try to fix- only repurchase and risk a repeat of the problem. Any way to "activate" the "blank" songs that iTunes seems to just skip? They
-
Macbook Pro to Projector issue. Please help.
Hey now. I have been watching tv via a projector using my macbooks for years now. Today all of a sudden it doesn't work anymore. I don't know if it has to do with an apple update I downloaded. Curiously, I can see my computer's wallpaper through the
-
How to open adobe acrobat reader without having to open photoshop?
how to open adobe acrobat reader without having to open photoshop? i keep getting this message when opening pdf files. "adobe acrobat was installed as part of a suite. to enable adobe acrobat, please start another component of this suite(such as phot
-
Valid email certificate in Keychain - How to use it sending messages?
After asking a free Personal E-mail Certificate by thawte.com, I was enabled to dowload a file which automagically added my personal certificate in my Keychain. Wow.. nice.. and now? How to add this certificate in the headers of my messages? Btw, dur