Extra server on cisco ACS engine

Similar Messages

• Cisco ACS Engine appliance 1120 software upgrade

  I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.

  It is highly suspicious that you would have a 1120 appliance that is running 3.3
  ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
  ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
  As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
  Nicolas

• Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

  I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
  Thanks.

  Hi
  We (extraxi) offer migration and general consultancy for ACS if you need professional help.
  www.extraxi.com/contact.htm

• Cisco ACS 4.2 - Server Busy

  Hi!
  We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
  From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
  What I don't understand is why the ACS acts that way...
  TAC says that all 42 or so threads are in use when the server says it's too busy.
  While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
  This is an extract from the CSRadius-Log-File:
  RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
  Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
  Thanks alot!

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Cisco ACS 4.2 Solutions Engine replacement

  Hi,
  Our ACS appliance (Cisco 1113) has died and it is not cost effective to get it replaced as it will only be used until the end of this year.
  Is it possible to get the tacacs software to install on a Windows server? How do I go about sourcing the software as the original documentation is no longer available? Will the fact that I have a defunct appliance be sufficient proof to get a copy of the software? We are currently running v4.1
  Thanks.

  Here is a path to download the Eval version of ACS 4.2 windows.
  Cisco.com > Downloads Home > Products >  Security > Access Control and
  Policy > Policy and Access Management > Cisco Secure Access Control
  Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access
  Control Server (ACS) for Windows-4.2.0.124 > scroll down to the bottom
  and you will see a file named
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  Installing ACS on windows
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html
  Once installed you can restore the previous backup on the windows server.
  Restoring ACS from a backup file
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/SCBasic.html#wp222758
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ACS 4.2 Solutions Engine replacement advice

  Hi everyone,
  I am hoping to get some advice on an upcoming upgrade.  We currently have a Cisco ACS 4.2 Solutions Engine.  (That's the physical appliance).  It is coming to end of support and we are looking to replace.  Here is what we use it for today:
  1. TACACS+ AAA for all routers and switches.  Gives us great reporting.
  2. PEAP Authentication for our wireless network off of a 5508 Wireless Controller.
  3. Machine Access Restrictions for our Wireless network.  (Basically Machine Authentication)
  I believe that is all we use it for today.  That said, hoping to get some of your opinions on a replacement.
  Any advice or opinions are greatly appreciated.
  Thanks,
  Josh

  Hi Josh,
    To add up to the above post, You will have to undergo the migration process from going to ACS 4.2 to ACS 5.4.
  Here is the migration guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/migration/guide/Migration_support.html
  Regards
  Minakshi
  (Do rate the helpful posts )

• Cisco ACS 1121 server configuration

  Hi,
  Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
  Regards,
  Haja Shajahan.M

  Currently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
  Paps

• Cisco ACS Server

  Hi
  I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
  CAn you provide a suitable solution for this ?
  Thanks

  Hi,
  The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
  Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
  Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
  Regards,
  Vivek

• Cisco ACS Server . Download Evaluation Version For Testing.

  Hello.
  I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?

  Hello Michael-
  The ACS version for Windows is no longer available. The product is EOL/EOS:
  http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
  The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage. 
  If you want to evaluate the product I would recommend that you contact your local Cisco partner:
  https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
  Thank you for rating helpful posts!

• Limitations of Cisco ACS server

  I want to ask about limitations of Cisco ACS server 3.3 .
  I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
  Can i also solve this problem with a High Availability configuration.

  Hi
  ACS performance is a very complex issue and depends largely on
  1) auth protocol (anything eap is SLOW)
  2) backend (anything external is SLOW)
  3) server CPU
  We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
  AD authentication/group mapping can take several seconds to complete.
  ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
  EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
  Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
  The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
  IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
  Darran

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Cisco ACS 5.4.0.46.6 - Cannot join to domain

  I am not able to join Cisco ACS to domain.  I get the error "wrong domain".  Nslookup resolves the domain correctly.  ACS troubleshoot adcheck shows the below error
  ADGC     : Check Global Catalog servers
                 : There is no GC in site "INGUA"
                 : It is recommended that a GC exist in each site.
  Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2.  I am able to telnet to the required ports from the ACS console.  Tried applying the latest patch.  Tried re-imaging the ACS server.  Still the issue remains.  Any help appreciated.
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.3.063
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ZINGUA6001
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.6
  Internal Build ID : B.221
  Patches :
  5-4-0-46-6

  Hi Minakshi,
  I perform the update before your post and I test without deregister all server.
  So far, all was good.
  I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
  The command had also a rollback for the update, so I take the risk.
  This is certainly not the case for upgrade but update seems to easier.
  Kind regards.
  Steve

• Cisco acs "manifest file not found" help

  srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
  Do you want to save the current configuration ? (yes/no) [yes] ? no
  6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
  7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
  7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
  % Manifest file not found in the bundle
  srvacs01/admin#
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: srvacs01
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40.40
  Internal Build ID : B.839
  Patches :
  5-3-0-40-7
  5-3-0-40-9
  Pointed-PreUpgrade-CSCum04132-5-3-0-40

  Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
  The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
  Solution
  Complete these steps in order to upgrade the ACS appliance without any issue:
  Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
  After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
  Use this command in order to install the upgrade:
  application upgrade <application-bundle> remote-repository-name
  This completes the upgrade procedure.
  Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
  please refer the upgrading acs server 5.4 to 5.5, for complete process.

• ACS Engine IP always resets to 0.0.0.0

  Hi,
  We have a problem with our ACS engines. We have 2 ACS Engines and the problem is we cannot disable it as a DHCP client. When its ethernet connection goes down, its IP address resets to 0.0.0.0. The static IP address that we set on it does not retain when we unplug its ethernet connection. We're thinking that this is because the "DHCP enabled" is still set to "Yes" even though we have configured it to have a static IP. We have two new ACS engines and both have the same problem. Hope you guys can help.
  Thanks in advance.

  Hi,
  Yes, we have already tried that and this is the output:
  +++++++++++++after entering the IP parameters++++++++++++
  New Configuration:
  DHCP: No
  IP Address: 192.168.1.21
  Subnet Mask: 255.255.255.0
  Default Gateway: 192.168.1.1
  DNS Servers: 192.168.1.21
  IP Address is reconfigured.
  Confirm the changes? [Yes]:
  New ip address is set.
  Default gateway is set to 192.168.1.1.
  DNS servers are set to 192.168.1.21.
  Test network connectivity [Yes]: Yes
  Enter hostname or IP address: 192.168.1.1
  Pinging 192.168.1.1 with 32 bytes of data:
  Reply from 192.168.1.1: bytes=32 time<10ms TTL=255
  Reply from 192.168.1.1: bytes=32 time<10ms TTL=255
  Reply from 192.168.1.1: bytes=32 time<10ms TTL=255
  Reply from 192.168.1.1: bytes=32 time<10ms TTL=255
  Ping statistics for 192.168.1.1:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 0ms, Maximum = 0ms, Average = 0ms
  ++++++++++++++then ACS services restart++++++++++++++++
  +++++++++++After entering the show command+++++++++++++
  Cisco Secure ACS: 4.1.1.23
  Appliance Management Software: 4.1.1.23
  Appliance Base Image: 4.1.1.4
  CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
  Session Timeout: 10
  Last Reboot Time: Thu Feb 21 18:26:49 2008
  Current Date & Time: 2/21/2008 18:31:48
  Time Zone: (GMT-06:00) Central Time (US & Canada)
  NTP Server(s): NTP Synchronization Disabled.
  CPU Load Free Disk Free Physical Memory
  0.00% 16.5 GB 794 MB
  Appliance IP Configuration
  DHCP Enabled. . . . . . . . . . .: Yes
  IP Address. . . . . . . . . . . .: 192.168.1.21
  Subnet Mask . . . . . . . . . . .: 255.255.255.0
  Default Gateway . . . . . . . . .: 192.168.1.2
  DNS Servers . . . . . . . . . . .:
  --- Please hit enter to continue ---
  CSAdmin running
  CSAuth running
  CSDbSync running
  CSLog running
  CSMon running
  CSRadius running
  CSTacacs running
  CSAgent running
  ++++++++++++++++then we enter the reboot command++++++++++++++++++++
  +++++++++After the reboot, this is the result of the show command:+++++++++++++
  Appliance IP Configuration
  DHCP Enabled. . . . . . . . . . .: Yes
  IP Address. . . . . . . . . . . .: 169.254.94.164
  Subnet Mask . . . . . . . . . . .: 255.255.0.0
  Default Gateway . . . . . . . . .:
  DNS Servers . . . . . . . . . . .:
  After the reboot, the IP is not saved.
  Regards