Csacs-1121-up-k9
Hello,
Is it possible to upgrade the CSACS-1121-UP-K9 to be a non upgrade part?
We were going to upgrade from a Windows 4.x to the above Appliance (version 5.x) but there is now a reason to keep the old Windows version running therefore we cannot give the new Appliance the old ACS's licenses?!
So we should have (with hindsight) bought a fresh version of the ACS 5.x rather than an upgrade.
Any advice would be appreciated.
Regards,
Garry.
Garry,
Is there a price difference the upgrade sku and the sku used for a new deployment? There is no difference in the image versions at all, they both have a migration application that will help you migrate the ACS 4.x network devices, internal users and a few various objects that can take a lot of time, it is up to you to use this or not.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Dual NIC on ACS CSACS-1121-K9 Server for ACS V5.2
Is it possible to have Dual NIC on ACS v5.2 such as teaming or any else??
I am thinking of connecting the two NIC on the CSACS-1121-K9 appliance to two swtiches on the same network, but wondering if it will be possilble or not.
Can anyone help me regading this?? Please help me!!No you can only use one nic on the ACS appliance.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp190802
The extra ethernet port comes blocked.
Thanks,
Tarik -
CSACS 1121 V5.4.0.46.4
Good morning everyone, I'm Eric Jones and I'm a CISCO equipment user.
I have some questions on the 1121 AAA server.
We have 2, one is configured to work with our Active Directory.
It access the AD data and will pull the username from the AD group; however, when you attempt to enter the AD group users password it fails to login into the IOS device chosen.
What it wants is the enable password created for the local admin account on the IOS device.
The Shell profiles and Command Sets have been created.
The binding has been completed.
The IOS device has its configuration completed.
Part II of this issue.
When I first began configuring the device there were now Default Device Admin or Default Network Admin Access Policies configured.
I had to create these myself.
After that surprise everything went smoothly as mentioned above with the Shell Profiles and Command Sets.
Has anyone seen this issue before.
Part III of this issue.
When entering the Monitoring and Reports section and enabling Support Bundle I get an error when trying to start it.
I get a red warning banner at the top stating the server isn't running. Well Clearly it's running but it doesn't think so.
Also when trying to view the reports to see any accounting, authorization, authentication information in the logs there's nothing there.
I have configured the logs to write to a Server but nothing ever gets written.
And since nothing is being done locally on the ACS I can't tell why it's not writting to the server.
Any thoughts?
ejHere is the config minus some sensitive password information and ACL lists.
! Last configuration change at 23:25:58 UTC Wed Oct 2 2013 by a1236ej
! NVRAM config last updated at 23:19:01 UTC Wed Oct 2 2013 by a1236ej
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 209-G2
boot-start-marker
boot-end-marker
aaa new-model
aaa group server radius 10.2.9.2
aaa group server radius yacs001
aaa authentication login default group tacacs+ enable line
aaa authentication login VTY group tacacs+
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization exec VTY group tacacs+
aaa authorization commands 1 VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 1
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting exec CONSOLE start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 1 CONSOLE start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
switch 1 provision ws-c3750g-24ts
system mtu routing 1500
vtp mode transparent
ip domain-name srf.local
crypto pki trustpoint TP-self-signed-3353342592
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3353342592
revocation-check none
rsakeypair TP-self-signed-3353342592
crypto pki certificate chain TP-self-signed-3353342592
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333533 33343235 3932301E 170D3133 31303032 30333337
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353333
34323539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AAAF F6C627BB 1F356449 51BDCAE6 B62B2A65 5EE8AB72 D8ECAF86 A94A483A
5FF35D71 C9F7B38F 19937159 1D88B081 A071F7B2 9532C6D6 9FC1A9BB A29BE067
E6B1A6A6 0053A83F E656DA6E DDD9E095 15A6B410 59CD33B4 4D8F1652 82665AD1
42B43017 4B729643 77FE0268 442CD37E 7864DBC0 9967D52A DE507B86 194D6070
1DC30203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10323039 2D47322E 7372662E 6C6F6361 6C301F06 03551D23
04183016 8014F83D D09FABC5 1025DA4A E491E361 137A674A 80B2301D 0603551D
0E041604 14F83DD0 9FABC510 25DA4AE4 91E36113 7A674A80 B2300D06 092A8648
86F70D01 01040500 03818100 85888110 C3DA3837 9C44725B 6C99EB91 25A7F56A
4B638ECD 09EDEE09 220B1671 004660C6 93164922 DA59B6AC EC3FFC9F 01887284
62734F47 5BE676EE 536199EB 21DD089F C723A428 5A15F09C 46A9657E 1E5D089B
437A29D4 A6514E57 2DA17922 1A0B2C44 3A255718 8A7815EC DF969EB9 4148C210
9B1E8287 9EE9C049 CBB00F36
quit
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree backbonefast
vlan internal allocation policy ascending
vlan 10,209
vlan 999
shutdown
ip ssh version 2
interface Loopback5
no ip address
interface GigabitEthernet1/0/1
switchport access vlan 209
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
interface GigabitEthernet1/0/2
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/3
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/4
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/5
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/6
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/7
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/8
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/9
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/10
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/11
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/12
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/13
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/14
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/15
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/16
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/17
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/18
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/19
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/20
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/21
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/22
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/23
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/24
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
interface GigabitEthernet1/0/26
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
interface GigabitEthernet1/0/27
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
interface GigabitEthernet1/0/28
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
interface Vlan1
no ip address
interface Vlan10
ip classless
ip http server
ip http secure-server
ip tacacs source-interface GigabitEthernet1/0/25
ip radius source-interface Vlan10 vrf default
ip sla enable reaction-alerts
logging 10.7.4.33
logging 10.30.0.34
access-list 10 permit 10.30.0.34 log
access-list 10 permit 10.30.0.151 log
access-list 10 permit 10.230.0.50 log
access-list 10 deny any log
snmp-server group rwsrf v3 auth read rwview write rwview
snmp-server view rwview internet included
snmp-server community rosrf RO 10
snmp-server system-shutdown
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet police
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps license
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps hsrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
tacacs-server host 10.7.4.23
tacacs-server host 10.7.4.22
tacacs-server directed-request
tacacs-server key 7 09754F021046461C020731
radius-server host 10.7.4.23 auth-port 1645 acct-port 1646
radius-server key 7 0317530A140A255F4B0A0B0003
banner login
!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!You are accessing a U.S. Government (USG) Information System
!(IS) that is provided for USG-authorized use only.
!By using this IS (which includes any device attached
!to this IS), you consent to the following conditions:
!-The USG routinely intercepts and monitors communications on
!this IS for purposes including, but not limited to, penetration
!testing, COMSEC monitoring, network operations and defense,
!personnel misconduct (PM), law enforcement (LE), and
!counterintelligence (CI) investigations. At any time, the USG
!may inspect and seize data stored on this IS.
!-Communications using, or data stored on,
!this IS are not private, are subject to routine monitoring,
!interception, and search, and may be disclosed or used for
!any USG-authorized purpose.
!-This IS includes security measures
!(e.g., authentication and access controls) to protect USG
!interests--not for your personal benefit or privacy.
!-Notwithstanding the above, using this IS does not
!constitute consent to PM, LE or CI investigative searching or
!monitoring of the content of privileged communications, or work
!product, related to personal representation or services
!by attorneys, psychotherapists, or clergy, and their assistants.
!Such communications and work product are private and confidential.
!See User Agreement for details.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
banner motd
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!This is a Department of Defense computer system.
!This computer system,including all relxted equipment, networks
!and network devices (specifically including internet access),
!are xrovided only for authorized U.S. Government use.
!DOD computer system may be monitored for all lawful purposes,
!including to ensure that their use is authorized, for management
!of the system, to facilitate protection against unauthorized
!access,and to verify security proctdues, survivability and
!operational security. Monitoring includes active attacks by
!authorized DOD entities to test or verify the security of
!this system. During monitoring, information may be examined,
!recorded, copied and used for authorized purposes. All information,
!including personal information placed on or send over this
!system may be monitored.Use of this DOD computer system,
!authorized or unauthorized, constitutes consent to monitoring
!of this system. Unauthorized use may subject you to criminal
!prosecution. Evidence of unauthohized use collected during
!monitoring may be Used for administrative, criminal or other
!adverve action. Use of this system constitutes consent to
!monitoring for these purposes.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
line con 0
exec-timeout 9 0
logging synchronous
line vty 0 4
password 7 03165E06090132
logging synchronous
transport input ssh
line vty 5 15
transport input ssh
ntp authentication-key 10 md5 025132403B535C365D1F47512B0E152A 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 36029083
ntp server 10.7.60.20
ntp server 10.30.0.13
end -
CSACS-3415 ACS 5.4 NIC Bonding / Teaming possible ?
Hi Team,
I know, this topic has been answered for the "old" 11x Appliances: not possible.
Does the new UCS hardware change anything ?
Can we bundle 2 NICs somehow to get interface redundancy ?
If still not possible to configure that in ACS 5 itself:
Can it enentually be done on the "hardware" level
within the appliance firmware (UCS BIOS) ?
Frank
(RHEL would provide NIC bonding,,, unfortunately its not accessable from ACS5 CLI)Yes it does. ACS 5.5 with the Cisco SNS-3415, Cisco SNS-3495, virtual machine, or CSACS-1121 platform allows you to use up to four network interfaces: Ethernet 0, Ethernet 1, Ethernet 2, and Ethernet 3.
NIC Bonding
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/installation/guide/csacs_book/csacs_hw_ins.html#pgfId-1191791
Creating interface bonding
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/installation/guide/csacs_book/csacs_hw_ins.html#pgfId-1197533
Regards,
Jatin Katyal
*Do rate helpful posts* -
ACS 1121 appliance downgrade to 4.2.0.124
Hi All ,
Newly shipped cisco ACS appliance 1121 has been shipped with ACS version 5.0 , I need to downgrade to ACS version 4.2,0 , I could not see recovery CD or DVD for acs 4.2 along with shipment , Is ACS 1121 appliance is comptaible to acs 4.2.0 version ??? .
My ACS BOM details
CSACS-1121-K9
ACS 1121 Appliance With 5.1 SW And Base license
CON-SAS-51SWK
SW APP SUPP Config Option: ACS 5.1 SW Loaded On 1121Hi,
ACS 1121 does not support ACS 4.2. So a downgrade is not possible.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Lightroom upgrade from 5.4 to 5.5 or 5.6: "The Installer Is Damaged"
OS - Mac 10.9.3. I've downloaded both 5.5 and 5.6 to upgrade the installed 5.4. Both 5.5 and 5.6 give the same error - 'The installer is damaged. The installer can't open the package. There may be a problem with the file ownership or permissions."
I'm logged in as the administrator, the file info shows read/write, not locked. I've rebooted. Googling, there are no hits with Lightroom and this error message. I don't want to uninstall 5.4, because it is running, but I need the new version for a new camera.The ACS 5.6 software runs on a dedicated Cisco SNS-3495 appliance, on a Cisco SNS-3415 appliance, on a Cisco 1121 Secure Access Control System (CSACS-1121) or on a VMware server. ACS 5.6 ships on Cisco SNS-3495 and Cisco SNS-3415 appliances. However, ACS 5.6 continues to support CSACS-1121 appliance. You can upgrade to ACS 5.6 from any of the previous releases of ACS that runs on CSACS-1121 appliance. For more information on upgrade paths, see Upgrading Cisco Secure ACS Software.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/release/notes/acs_56_rn.html#40742 -
ISE installation - reimaging issue
Hi,
Today I was installing ISE on 3355 appliances those will run all services (standalone), when installation completed I was not able to login to the CLI. I think the keyboard I used had issue (typed extra charachter or something). This was a pre-loaded OS.
I downloaded (ise-ipep-1.2.0-899.i386.iso) and tried password recovery booting appliance with (ise-ipep-1.2.0-899.i386.iso), after changing the password I saved configs and tried logging using the new password. But I could not login again.
Then I tried to re-install ISE using (ise-ipep-1.2.0-899.i386.iso). After the installation was completed, I entered setup command and an error poped up on the screen. "input/output errors occured while installation".
Question 1: Is the following iso only for a posture node installation or I could use this for ISE standalone deployment?
ise-ipep-1.2.0-899.i386.iso
Cisco Identity Services Engine Software Version 1.2.0 full installation (IPN functionality only). This ISO file can be used for installing ISE IPN (Inline Posture Node) on ISE-33x5 and NAC-33x5 Appliances, SNS-3415 server and CSACS-1121.
Question:2 What could have caused "input/output errors occured while installation". And how should I proceed with the installation?
I am in really bad situation, your help and support will be highly appreciated.
RegardsHi Ravi, Thanks for the reply but my questions were following..
Question 1: Is the following iso only for a posture node installation or I could use this for ISE standalone deployment?
Can I use this ise-ipep-1.2.0-899.i386.iso for fresh installation on 3355 appliance?
Question:2 What could have caused "input/output errors occured while installation". And how should I proceed with the installation?
Answer: Download the latest version 1.2 and check the MD5 checksum. -
ACS 5.4 multiple network interfaces support
In ACS 5.4 release note, it says:
Multiple network interface connector support
ACS 5.4 supports up to four network interfaces: Ethernet 0, Ethernet 1, Ethernet 2, and Ethernet 3. ACS management functions use only the Ethernet 0 interface, but AAA protocols use all configured network interfaces. You must connect the ACS nodes in the distributed deployment only to the Ethernet 0 interface. Therefore, the syslog messages are sent and received at the log collector's Ethernet 0 interface. Data forwarding from one interface to another interface is prohibited to prevent potential security issues. The external identity stores are supported only on the Ethernet 0 interface. In ACS 5.4, multiple network interface connectors are also supported for proxies.
But in the CSACS 1121 Series Appliance Rear View section, it still says on Ethernet 0 is usable. All other interfaces are blocked.
I am confused. Can anyone clarify for me if we can use multiple network interface in ACS 5.4? What about management interface?
Thanks!We configured 2 interfaces in past within testing enviornment and it worked. ACS 5.4 supports multiple network interfaces on the UCS platform, on a virtual machine and on the legacy ACS 5.x IBM/CAM hardware. The ACS management functions use the interface eth0 only and the AAA protocols use all available network interfaces.
Jatin Katyal
- Do rate helpful posts - -
I proposed New ACS 5.4 Appliance - CSACS-1121-K9 and upgrading current ACS 4.1 to ACS 5.4-CSACS-5.4-VM-UP-K9
my customer want to do configuration/databse replication between two ACS. Is it possible to that ACS in VM can work with ACS in appliance ?
thanks
sompojThere should not be any issues. It will work fine.
ACS distributed deployment.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/introd.html#wp1058054
ACS 4.x and 5.x replication
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/introd.html#wp1052580
Regards,
Jatin Katyal
- Do rate helpful posts - -
ACS view DB size has exceeded allowed quota
Hi:
We have an CSACS-1121-K9 with ACS version 5.4.0.46.3.
We see the following warning "ACS view DB size has exceeded allowed quota" . I can't find the meaning of this , how critical it is, or what should be done.
Anyone have an answer.
The ACS has in the last 2 days stopped showing log messages. I was wondering if this message could be related.
Thanks for the help
MickeyHi Mickey,
The Monitoring and Report Viewer database handles large volumes of data. When the database size becomes too large, it slows down all the processes. You do not need all the data all the time. Therefore, to efficiently manage data and to make good use of the disk space, you must back up your data regularly and purge unwanted data that uses up necessary disk space. Purging data deletes it from the database.
Also check the following links,
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/viewer_sys_ops.html#wp1068157
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/secure-access-control-server-view-4-0/white_paper_c07-484555.html
Thanks
Anas -
ACS v5.3 (user command line interface)
Hello,
We have lost the user/pass of command line interface of our ACS, but we can access by Web Interface with all the privileges.
We are trying create one user from web interface for the command line interface, but I don´t find the manner of do it.
I create one user in <system Administration < Accounts with all roles, but this user doesn´t work in command line interface.
Is possible to create one user for command line interface from web interface?
ThanksComplete these steps to reset the CLI administrator account.
1. Insert the ACS 5.x Recovery DVD into the DVD drive of ACS.
2. Reboot the ACS 5.x.
The console displays:
“Welcome to Cisco Secure ACS 5.1 Recovery - CSACS 1121”
3. To boot from hard disk press
Available boot options:
[1] Cisco Secure ACS 5.1 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS 5.1 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
Boot from hard disk
Please enter boot option and press .
Boot:
4. To reset the administrator password, at the system prompt, enter 3 if you are using a keyboard and video
Monitor, or enter 4 if you are using a serial console port.
5. The console displays the name of all the administrators configured on the ACS 5.x
Admin username:
[1]:david
[2]:john
Enter number of admin for password recovery:
6. Enter the number against the adminstrator username of which you want to reset the password. For the user
"david", enter 1 at the prompt.
7. Enter the new password for the administrator account and verify it. Enter Y to save the new password.
Password:
Verify password:
Save change&reeboot? [Y/N]:
8. Now, remove the ACS 5.x Recovery DVD and reboot the ACS. -
hi all,
we are using ACS version 5.3.0.40, NAME: "CSACS-1121-K9 chassis", DESCR: "CSACS-1121-K9.
we have diferents access groups of users, and we want that one of them can acess the devices in a location and can use all command without privilege
mode (all that are befor enable)
at this way: Policy Elements > Authorization and Permissions > Device Administration > Command Sets:
we created a command set to permit:
telne*
ssh*
show*
regards
Mauro SilvaHi Lopez, we dont know how to do what we already explained above.
know we are only using this commands:
telne*
ssh*
show*
Regards
Mauro Silva -
Errors in ACS View Server in ACS 5.2
Hello,
I have deployed 7 appliances 5.2.0.26.4 CSACS-1121-K9 whose 6 are performing AAA authentications while the last one is is the primary and is the master for configuration and log collector.
Since this morning, I cannot access anymore the view where I can see all Radius authentication for today. I obtain the following message:
The server workspace storage for on demand transient reports is full, please try again later or contact administrator to increase on demand transient report storage capacity
I could not find any indication how to solve that issue.
Moreover, if I generate other report, I have the message:
18002: iPortal generate report failed.
I could find some information which makes references to a Cisco bug CSCtb98071, as below:
Launching a shared report in the ACS 5.1 Monitoring and Report Viewer displays an iportal error for a particular scenario.
Symptom: You will see the following iportal error message when you launch a shared report:
iPortal generate report failed.
Conditions: This error occurs when you add a report to a group in the interactive viewer and save it as a shared report.
Workaround: Avoid using the option Add Group from the interactive viewer for hyperlinked column entries when you save the report as shared
However, I am not adding any report to any group, so I don't understand why this error appears and how to solve it.
Thanks a lot for your help,
With my best regards.David,
Since your environment consists of 7 ACS instances in which 6 are in a secondary configuration. Please move the log collection over from the primary to one of the secondary instances.
We have seen issues where this is recommended not only the configuration guide but also as been seen in other TAC cases.
Thanks,
Tarik -
ACS 5.1 with Outlook Web Access
Hi Everyone,
I have a weird issue which i am troubleshooting. I just wanted to see if anyone had a different view on this.....
I have an AD User, lets call them work\auser and there password just expired, so next logon to the domain they need to change there password.
They decide while at home to connect to Outlook Web Access, which authenticates to via ACS 5.1 to AD, when they try and connect they are denied with the following message in ACS -
24407 User authentication against Active Directory failed since user is required to change his password
: Authentication failed
ACS also says this as resolution -
Check the password expiry under Account options in the properties of an external database user. If the password is expired and the Enable Change Password is turned on in the Users and Identity Stores: External Identity Stores > Active Directory page, then the password will be changed.
Now, our OWA is not configured to allow password resets, so they must call in to have there password reset, or they can connect via VPN and our ASA allows them to change there password as configured under Identity Stores > Active Directory > Enable Password Change
This VPN password change is successful although OWA still will not work. The only way to fix it is to select passwsord does not expire within AD. Let it replicate, then de-select password does not expire and let it replicate.
This is pointing to a OWA issue in my opinion, although ACS is somehow involved, is it possible that ACS caches authentication, or because OWA does not allow password resets, it keeps responding with user required to change his password?
Any thoughts or different ways to look at this from a troubleshooting perspective would be greatly appreciated!
ThanksThe following is the procedure I am familiar with:
Resetting the Administrator Password
If you are not able to log in to the system due to loss of administrator password, you can use the ACS 5.1 Recovery DVD to reset the administrator password.
To reset the administrator password:
Step 1 Power up the appliance.
Step 2 Insert the ACS 5.1 Recovery DVD.
The console displays:
Welcome to Cisco Secure ACS 5.1 Recovery - CSACS 1121
To boot from hard disk press
Available boot options:
[1] Cisco Secure ACS 5.1 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS 5.1 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
Boot from hard disk
Please enter boot option and press .
boot:
Step 3 To reset the administrator password, at the system prompt, enter 3 if you are using a keyboard and video monitor, or enter 4 if you are using a serial console port. -
Hi,
we have a NAME: CSACS-1121-K9 Version : 5.3.0.40, and we would like to have the MIBs to manage.
Someone can help me to find?Hi,
Cisco Secure ACS 5.3 supports Simple Network Management Protocol (SNMP) to provide logging services. The SNMP agent provides read-only SNMP v1 and SNMP v2c support. The supported MIBs include:
•SNMPv2-MIB •RFC1213-MIB (MIB II)•IF-MIB •IP-MIB •TCP-MIB •UDP-MIB •CISCO-CDP-MIB •ENTITY-MIB The SNMP agent is configurable on the Collection Filters page in the Monitoring and Report Viewer.
Regards
K. Lakshmi Ganesh
Maybe you are looking for
-
Invalid column name in IMGSimilar
Hi all, I have a question for the function IMGSimilar. I have a table musterbildsig, in which the generated signatures of 100 pictures are stored in the column msbild_sig. Each Signature in this table is to compare with all signatures in the column b
-
Syncing ipad, ipod and iphone to a new itunes library
Hi, I need some guidance on how to achieve what is in my mind a relatively common problem... how do I sync my iPad, iPod (x2) and iPhone to a new computer without having to erase everything. The scenario is as follows. I have one iTunes library on an
-
Photoshop v3 had a photo gallery automated action. Where would I fine one for v2014?
Photoshop v3 had a photo gallery automated action. Where would I fine one for v2014?
-
How do I get a version of ADobe bridge that will work on a Mac OS X
So I need Adobe Bridge for my college course, but unfortunately the app isn't working and is saying to either reinstall the app (which I tried three times to no avail) or find out if it is compatible with Mac OS X. S o I'm wondering if there is a ver
-
Crdb_adoplus.dll could not be loaded
Have CR Developer 14.0.2.364 RTM, Type=Full Windows XP SP3, 32-bit machine Can not see ADO.NET (XML) in list of datasource locations Have existing report create by other developer that uses ADO.NET (XML). 1) I want to update the datasource location b