HELP! Cisco ACS v 3.3

Greetings,
I have recently inherited and older ACS server. I am having trouble with certain ACS groups accessing resources witch they are not assigned to.
I've setup Windows Database and that works fine, when assigning a specific AD group to an ACS defined group that work also.
But when I assign another windows Ad group to another ACS group, this group can access resources in other groups, which I don't want.
Is there something I am missing, I looked up and down, with no luck.
Any help is appriciated.
Thanks!

Mike,
Is the user a member of multiple groups in windows? Here is the following note within ACS 3.3:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/qg.html
Group Mapping Order
Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If there are Cisco Secure ACS group set mappings for both these combinations, Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user authenticated by an external user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the external user database group memberships of the user, Cisco Secure ACS assigns the user to the Cisco Secure ACS group of that group mapping and terminates the mapping process.
Clearly, the order of group mappings is important because it affects the network access and services allowed to users. When defining mappings for users who belong to multiple groups, make sure they are in the correct order so that users are granted the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer. Mapping A assigns users who belong to all three groups Mary is in to Cisco Secure ACS Group 2. Mapping B assigns users who belong to the Engineering and Marketing groups to Cisco Secure ACS Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be assigned to Group 1, rather than Group 2 like managers should be.
Tarik Admani
*Please rate helpful posts*

Similar Messages

Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi all
I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
Thanks so much
Longn

1) I deleted bridge-utils, netcfg
2) I edited /etc/hostapd/hostapd.conf:
interface=wlan0
#bridge=br0
edited /etc/dnsmasq.conf:
interface=wlan0
dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
and edited /etc/rc.local:
ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
ifconfig wlan0 up
3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
Profit!

Cisco acs "manifest file not found" help

srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
Do you want to save the current configuration ? (yes/no) [yes] ? no
6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
% Manifest file not found in the bundle
srvacs01/admin#
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.228
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: srvacs01
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.3.0.40.40
Internal Build ID : B.839
Patches :
5-3-0-40-7
5-3-0-40-9
Pointed-PreUpgrade-CSCum04132-5-3-0-40

Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
Solution
Complete these steps in order to upgrade the ACS appliance without any issue:
Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
Use this command in order to install the upgrade:
application upgrade <application-bundle> remote-repository-name
This completes the upgrade procedure.
Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
please refer the upgrading acs server 5.4 to 5.5, for complete process.

RSA SecurID and Cisco ACS integration for user(s) with enable mode

I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

How to hide line console parameters through Cisco ACS

Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
Thanks

This thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Hi,
We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
We just replaced RADIATOR with Cisco ACS 5.2 .
Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Description:
While trying to negotiate a TLS handshake with the client, ACS expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ACS and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ACS server certificate for some reason. ACS treated the unexpected message as a sign that the client rejected the tunnel establishment.
Resolution Steps :
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ACS server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ACS server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
ACS says "it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message".
If it was a known issue, we would have this error for other computer but we don't have (fortunately )
Wireless profile is sent to computers using GPO so they trust ACS server certificate...
Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
Thanks for your help,
Patrick

Patrick,
One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
Thanks,
Tarik Admani

Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_admin

Hi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
   server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
           shell:Admin*Admin default-domain
    if you have additional context add next line
          shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)
*adm-x        Admin                                                                    pts/0   Sep 21 12:24 (x.x.x.x)    Admin   default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

Cisco ACS 5.4.0.46.6 - Cannot join to domain

I am not able to join Cisco ACS to domain. I get the error "wrong domain". Nslookup resolves the domain correctly. ACS troubleshoot adcheck shows the below error
ADGC     : Check Global Catalog servers
               : There is no GC in site "INGUA"
               : It is recommended that a GC exist in each site.
Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2. I am able to telnet to the required ports from the ACS console. Tried applying the latest patch. Tried re-imaging the ACS server. Still the issue remains. Any help appreciated.
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.3.063
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ZINGUA6001
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.6
Internal Build ID : B.221
Patches :
5-4-0-46-6

Hi Minakshi,
I perform the update before your post and I test without deregister all server.
So far, all was good.
I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
The command had also a rollback for the update, so I take the risk.
This is certainly not the case for upgrade but update seems to easier.
Kind regards.
Steve

Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
Piotr

If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Cisco ACS 4.2.1 authentication problem

We are using cisco ACS 4.2.1 on windows 2003 to authenticate with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

Hi there,
There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
Let me know if this helps.

Integration Of Cisco ACS and MS Active Directory !!!

Hi all,
We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
Thanks for your help
Regards!!!
Rafael Turriago

Hi,
If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
The Remote Agent is the application responsible to exchange data with the DCs.
You can find detailed information in the config guide:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Cisco ACS 5.1 Tacacs with Juniper Srx 210

Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards

Cisco ACS 4.1 Windows License Key Question

How do I obtain the license key for my Cisco ACS Server for Windows software v4.1?

For acs windows, there is no license key. You need to purchase the acs software.
During installation, it does not ask for any key.
Regards,
~JG
Do rate helpful posts

[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
Patrick

Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you"

Rendering a Cisco ACS page is broken in Firefox 15

Since updating to Firefox 15, a page inside my Cisco ACS appliance does not render: Access Policies > Access Services > Default Network Access > Authorization.
The page has historically taken 15-20 seconds to fully load its contents, and the page now renders as if Firefox 15 got sick of waiting and just displayed what content it had. Is this a problem with rendering the page or perhaps did the value of a timer get changed in Firefox 15?
The Cisco appliance is not public-facing, so I am happy to do a screen-sharing session with a Mozilla engineer if it would help troubleshoot. Thanks.

Still broken in 16... Great, now I have to run a version that is 2 versions old.

Cisco ACS version 4.2 patch update

Dear All,
I am using cisco ACS version 4.2 (0) Build 124 and i would like to upgrade it with latest patch .Can anyone provide me the step by step procedure for the upgrade through serial console or through GUI.
It would be also appreciate if if you could provide me the exact link / patch for 4.2(0) release.
Regards..

Ciscoworks can use various mechanisms to discover the devices on your network.
The network administrator can discover the devices using different protocols, such as Cisco Discovery Protocol, BGP, OSPF, Address Resolution Protocol (ARP), HSRP, cluster, routing table, and ping sweep on IP range, that are activated at different layers of the Open Systems Interconnection (OSI) model in the device.
It has a benefit when the devices on the network will not be better responsive to any other modules of Discovery.
Usually other module learn IP of the neigbour device with their data, like asking CDP neighbour details or OSPF Table. Whereas in Ping Sweep LMS will simply continue to check devices based on the IP Range.
Example, if you selected Ping Sweep On IP Range, you can specify the seed device as 10.77.209.209 and the subnet mask as 255.255.255.240. Entering a smaller subnet mask value may result in a longer discovery cycle, as discovery has to sweep IP addresses from more networks. It is recommended to enter a Class C mask instead of a Class A or B mask.
So using Ping Sweep helps you find your devices faster of it is failry simple network with simple range of IP's on devices, may be on a single subnet.
More details on How Ping Sweep Algorithm Works technically behind, in LMS, is available here:
https://supportforums.cisco.com/docs/DOC-9005#Ping_Sweep_On_IP_Range
This document describes, in depth about all modules used in LMS Device Discovery.
Hope it will be helpful to understand.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. **

HELP! Cisco ACS v 3.3

Similar Messages

Maybe you are looking for