Cisco Secure ACS with UCP assistance and enable password

I am running Cisco Secure ACS version 4.2 running on a
Standalone Windows 2003 Enterprise 2003with the lastest
windows service pack and update. Secure ACS is running
fine and I can authenticate with Cisco routers and
switches. The Windows 2003 server is also running Microsoft
IIS Server. In other words, the IIS server and Cisco
Secure ACS is running on the same windows 2003 server.
I am trying to get Cisco User-Changeable password to work
with Cisco Secure ACS. I followed the release notes lines
by lines and the work around provided below:
Also server require more privileges for the internal windows user that runs CSusercgi.exe.
The name of the windows user that runs UCP is IUSR_<machine_name>.
Workaround steps:
1) Install UCP 4 on a machine that runs IIS server.
2) Open IIS manager
3) Locate Default Web Site
4) Double click on the virtual name 'securecgi-bin'
5) Right click on CSusercgi.exe and choose Properties
6) Choose 'File Security' tab
7) Choose 'Edit' in 'Authentication and access control' area
8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
password (make sure that 'Integrated Windows authentication' is checked)
I still can NOT get this to work. I got this error:
It says:
The page cannot be found
The page you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I modified everything in the Windows 2003 to be "ALLOWED" by
EVERYONE. In other words, there are NO security on the windows 2003.
It is still NOT working.
The other question I have is that can Cisco UCP allow user
to change his/her enable password?
Can someone help? Thanks.

Yes bastien,
Thank you.
But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
I've given it several time; also going through Administrator account with administrative credentials but it always failed.
Any suggestions/solution/?
This time many thanks in advance.
Regards
Mehdi Raza

Similar Messages

  • Cisco Secure ACS 5.4/Monitoring and Report Viewer - SNMP Settings

    Hello Everyone.
    I hope this is the right forum for my question.
    We just purchased 8 1121 ACS 5.4 appliances. I have some familiarity with the older 1113 and 1120 appliances running ACS 4.2. So I have a lot to learn.
    Right now I'm trying to understand the Monitoring and Report Viewer System Configuration. I set the SNMP V2 read comm. string to the same string I configured from the CLI.
    etc-labacsb1-1/admin# show runn | inc snmp
    snmp-server contact "ACS1121;XXXXX"
    snmp-server location "B1 Lab"
    snmp-server community XXXXXX ro
    1) It was not the same string as configured on CLI. Does setting this give me access to query more than system type or server type MIB objects.
    2) Can you provide an example? (for example to query a switch -  snmpwalk -v 1 -c XXXXXX hostname 1.3.6.1.4.1.9.9.43)
    3) What is the MIB object tree OID (1.3.6.1.4.1.9.???) for these ACS appliances?
    Thanks in advance.
    Ray Westphal
    EHI

    that's correct. here is what we have in ACS 5.4 for snmp.
    ACS 5.4 supports Simple Network Management Protocol (SNMP) to provide logging services. The SNMP agent provides read-only SNMPv1 and SNMPv2c support. The supported MIBs include:
    •SNMPv2-MIB
    •RFC1213-MIB (MIB II)
    •IF-MIB
    •IP-MIB
    •TCP-MIB
    •UDP-MIB
    •CISCO-CDP-MIB
    •ENTITY-MIB
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71020
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Stuck with download assistant and reseting password!

    The download assistant does not recognize my adobe ID, it keeps saying my password 'must be 6-12 characters' when it is, and when I try to resent my password, I put in a replacement password and click continue, only for it to get stuck on the password re-registration page : S.
    Cant re-register password from here:
    http://www.adobe.com/cfusion/entitlement/index.cfm?k=18a8db11%2Dcfb7%2Da9ea%2Dbca5e9ef2dbb 7326&loc=en%5Fus

    Sign in or activation errors | CS6, CS5.5 Subscriptions, CS6 Perpetual
    Mylenium

  • With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

      I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
    and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
    I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
    when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
    on the domain etc).
    I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
    If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
    02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
    I've scoured google etc, and just cannot come up with any reason why this should be happening.
      I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
    so am looking forward to finding out if anyone can help me with this one!
    THanks and regards
    Sharan

    Hi  Jesse,
    Thasts a great answer and Soution.
    My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
    After this answer i have upgraded it to ACS4.2.1 and its started working fine
    Thanks very much for the help
    Dipu

  • With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

    Hello Everybody,
    I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
    I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
    Thanks in advance and regards....

    Hello Scott,
    Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
    Thanks and regards...

  • Cisco Secure ACS 4.2 with Oracle

    hi there...
    Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
    The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
    My questions :
    1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
    2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
    Please advice.
    Thanks

    Microsoft SQL Server and Case-Sensitive Passwords
    If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
    For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
    For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
    Sample Routine for Generating a PAP Authentication SQL Procedure
    The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                             sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                             GO
                             CREATE PROCEDURE CSNTAuthUserPap
                             @username varchar(64), @pass varchar(255)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username
                             AND  csntpassword  = @pass )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                             GO
    Sample Routine for Generating an SQL CHAP Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                             and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                             GO
                             CREATE PROCEDURE CSNTExtractUserClearTextPw
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                             GO
    Sample Routine for Generating an EAP-TLS Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                             sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                             GO
                             CREATE PROCEDURE CSNTFindUser
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                             GO
    Reference:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

  • Advice for Buying Cisco Secure ACS 3.3 for Windows

    Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
    Hope someone will help

    Hi,
    This is all what you require:
    Supported Operating System
    Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
    •Windows 2000 Server, with Service Pack 4 installed
    •Windows 2000 Advanced Server, with the following conditions:
    –with Service Pack 4 installed
    –without features specific to Windows 2000 Advanced Server enabled
    •Windows Server 2003, Enterprise Edition
    •Windows Server 2003, Standard Edition
    Note The following restrictions apply to support for Microsoft Windows operating systems:
    •We have not tested and cannot support the multi-processor feature of any supported operating system.
    •We cannot support Microsoft clustering service on any supported operating system.
    •Windows 2000 Datacenter Server is not a supported operating system.
    Please refer to the following link for more information:
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
    Thanx & Regards

  • Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

    To Whomever Can Assist,
          I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

    Bradbryant.dhs,
    Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
    Internal user and ACS administrator accounts are completely different. 
    Adding administrator account
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
    Regards,
    Jatin Katyal
    ** Do rate helpful posts **

  • Cisco Secure ACS

    Hi all,
    With the Base license, a Cisco Secure ACS 5.6 appliance or software virtual machine can support the deployment of up to 500 network access devices (NADs) such as routers and switches. These are not authentication, authorization, and accounting (AAA) clients. The number of network devices is based on the number of unique IP addresses that are configured.
    So, when i have 1 firewall for vpn gateway, and using acs as an aaa server, how much network access device which is counted ? 1 or as many as vpn client connected to the firewall ?
    500 network access device means concurrent connection or not ?

    ACS is based on the number of NADs (Network Access Devices) like switches, routers, ASAs, etc. So in your example, your Firewall will consume 1 license regardless of the total number of VPN sessions. 
    With ISE, the licenses are based on the total number of endpoints. So in your example, each VPN session will take a license. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Reporting & Audit Compliance Solutions for Cisco Secure ACS

    The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
    extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
    We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
    Featured Products:
    * aaa-reports! enterprise edition - Automated Reporting
    The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
    With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
    For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
    * csvsync - Automated ACS Database & Log File Collection
    csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
    Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
    Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

    bump

  • Patch rollup for Cisco Secure ACS 4.2 fails.

    I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations.  I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches.  The application begins running fine but fails on upgrading the database and then none of the ACS services would start.  I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again.  What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
    Thanks

    Thanks for the feedback.  I attempted the patch rollup install again and it failed in the same place - on the database upgrade.  I did think of one thing.  Do I need to have my antivirus/protection services disabled prior to installing the rollup?
    Also my versions are as follows:
    Server OS - Windows Server 2003 R2
    Cisco Secure ACS - 4.2.(0) Build 124
    Thanks,
    Richard Jaehne

  • How to configure Cisco Airespace in Cisco Secure ACS v5.3

    Need some help regarding Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with
    Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.

    Ok, we have a legacy Cisco wireless devices called Cisco Airespace and this device is the result of Cisco acquisition of Airespace Wireless Network in 2005. Cisco improve this technology and make it a perfect device for WLAN. Going back to my issue, as I mention we have this device and it is working in our older version of ACS (4.x). Since we have now a latest version of ACS which is 5.3. We wanted to migrate all the device into our latest version of ACS including older version (Airespace). Since this is an older device, I'm thinking that the VSA attributes needs to manually added and create Policy and Access Service specific to Cisco Airespace. I've attached the Dictionaries attributed that I've added and needs some advise if I got the correct value for below item
    Airespace-WLAN-Id
    Airespace-QoS-Level
    Airespace-DSCP
    Airespace-802.1p-Tag
    Airespace-Interface-Name
    Airespace-ACL-Name
    Below link is the configuration guide for Cisco Airespace under ACS 4.x
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml

  • Cisco secure ACS - RDBMS Rename a Group-

    Hi,
    I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
    1,0,TESTuser,,100,,,,,,0,,,0
    2,0,TESTuser,,102,,test,,,,0,,,0
    Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
    3,0,TESTuser,Group 30,106,,,,,,0,,,0
    But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
    Thank you
    Regards
    Pascal TOURNIER

    Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
    SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
    1,1,,Group 100,210,,BPM,,,,0,,,0
    2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
    3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
    4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
    5,5,,Group 104,210,,CTS,,,,0,,,0
    6,6,,Group 105,210,,DCI,,,,0,,,0
    line 1
    Rename "Group 100" to named group "BPM" using code 210 to perform the Action
    Gerald

  • Cisco Secure ACS license question.

    On the Cisco ACS server under the internal identity stores… is “users” and “host” counted against the "base server license" or “network device license”?          

    Guess you are running ACS 5.x
    With  the Base license, Cisco Secure ACS 5.3 appliances or software virtual  machines can support deployments of up to 500 network devices  (authentication, authorization, and accounting [AAA] clients). The  number of network devices is based on how many unique IP addresses are  configured. This is not a limit for each individual appliance or  instance, but a deployment-wide limit that applies to a set of ACS  instances (primary and secondary) that are configured for replication.
    The  optional Large Deployment add-on license allows a deployment to support  more than 500 network devices. Only one Large Deployment license is  required per deployment as it is shared by all instances.
    For more info:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-689829.html
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco Secure ACS wont' replicate

    Hello Community,
    I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
    They can both talk to each other, but the replication status is stuck in pending. See attachment.
    Any help will be greatly appreciated..
    Cheers
    Carlton

    Well that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
    If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server. 
    If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
    After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment.

Maybe you are looking for

  • HP Color LaserJet 2605dn going offline for no apparent reason. Need help!

    There are four of us with these printers in our finance department.  Two PC's are running Windows Vista and two Windows 7.  The printers are networked but installed locally on each PC.  Routinely all of these printers will go offline at the same time

  • Can't drag or drop!

    I suddenly am unable to drag or drop files on my laptop. It detected a virus (Sophos) but I deleted the files. Now it won't seem to work! Please help if you've encountered this problem before!

  • Distribution List not displaying user in Outlook

    Hi All, Running Exchange 2010 with SP3. I have a user that when added to a distribution list only appear in the distribution list using ADUC or Exchange Management Console but in outlook 2013 if I expand the distribution list are not present but will

  • Deleting photostream pictures on mac

    I have reached 1000 pictures in my photostream on my mac book pro and I can't seem to delete anything. If new pictures need to be added the oldest pictures automatically get deleted which isn't what I want. I want to choose which ones to delete but i

  • Premiere CS6 slower than 5.5

    We have recently migrate from CS 5.5 to CS6. We install Production premium in many PCs. (same hardware we used for 5.5.) and our editors realized that CS6 moves slower than 5.5. They used to work very fast and sometimes they have to wait to CS6 to re