How to monitor radius service in ACS 5?

Similar Messages

• How to monitor Radius services on ACS 5.4

  Hi All,
  I want to monitor  Radius services of ACS 5.4,  In case of failure any radius service on ACS.
  ACS should send alert to Syslogs  or email notification
  Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
  Regards.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi

• How to monitor RAC services and nodeapps in Grid Control

  Hi,
  I have created a number of RAC service names such as GL on a 2-node RAC and would like to use Grid control 10.2.0.2 to monitor the availability of those services and nodeapps. I was not able to find anything in Grid Control that would allow me to configure that. What are being monitored now are the listeners, database instances and nodes. Would it be possible to monitor more than just the RAC listeners, instances and nodes?
  thanks.

  I don´t think that there is an out-of-the-box metric. However, CRS monitors your services and Grid Control monitors CRS errors. If you need more granular monitoring, I have 2 suggestions:
  1) user callouts:
  [http://download.oracle.com/docs/cd/B28359_01/rac.111/b28254/hafeats.htm#RACAD7133]
  2) extending oracle enterprise manager
  I have written a paper on how to extend oem at [http://www.ora-solutions.net/web/papers/]
  "Extending Oracle Enterprise Manager to collect HP-UX glance data"
  You can follow the instructions to build a new target type called "RAC_SERVICE" and add your serivces as targets, e.g. S_BATCH, S_ONLINE, S_HR.
  Best regards,
  Martin Decker
  www.ora-solutions.net
  Edited by: mdecker on Jan 2, 2009 10:57 AM
  Edited by: mdecker on Jan 2, 2009 10:59 AM

• How to monitor Hyperion services

  Hi Experts,
  Some of the services stop working/not responding randomly which we come to know when user inform us.
  We find this is due to Hyperion services (like workspace and Planning) stop working.
  Is there any workaround (or better way to monitor) so that user continue access all features without any trouble?
  Normally we restart Hyperion services and everything again working normally.
  Regards
  Kumar

  Hi,
  Try this link below. It describes how to get alerted when a service stops.
  http://www.eggheadcafe.com/software/aspnet/31303233/you-will-need-to-create-a-bat-file-to-do-the-emailing-and-in-the-properties.aspx
  Cheers,
  Alp

• How to configure Radius failover in ACS 5.1

  Hi,
  I need to configure the ACS 5.1 to meet the following requirement :-
  1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential
  2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.
  I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.
  Can any expert out there advise on the configuration portion?
  regards

  This is the reply from the TAC engineer,
  > I believe that you are hitting this bug:
  >
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method
  > =fetchBugDetails&bugId=CSCtl05416
  > While the notes for this  bug talk about problems with AD, the same
  > problem applies to _any_  identity sequence that you create.
  > For example, if you create an  Identity Store Sequence with the Identity
  > Stores A and B, the ACS will  _not_ go to Identity B if Identity Store A
  > is not available. It does  not matter what the order of identity stores
  > is in the sequence. This  is a known issue with ACS 5.2 and there is no
  > work around.
  >
  > This problem will be resolved in the next release of ACS, which will be
  > ACS 5.3. The 5.3 release will allow you to select what action is to  take
  > place is an Identity Store becomes unavailable.
  > "
  So would like to seek your opinion. In addition, also found this article.
  http://blog.pbmit.com/digipass2

• How to stop Radius/Tacacs service in ACS 5.2 ?

  Hi, is there a way to stop the Radius/Tacacs service in ACS 5.2 from the GUI ?

  There will be a more convoluted way to do it. Say for example want to do for RADIUS
  - define an access service that should take all RADIUS request
  - for identity policy authenticate against internal database and set the Advanced Option for "If user not found" to drop the request
  This should silently drop all RADIUS requests
  Can be done similarly for TACACS+

• RE: How to monitor who has what service objectconnection?

  We ran into this problem, specifically because we are using a dbsession
  connection pattern and the dba's did not like loosing control over
  connections. We have 8 subsystem, each with a dedicated connection that
  is shared across multiple users. We also have a security pattern in
  place that is token based. Since we have to pass a security token
  through service objects we can track this information using a
  "connection array" on the service object and a system agent to poll the
  contents of the array. When a sql statement is invoked on a
  persistence object we add the user to the array on the persistence
  manager (SO). When the sql is complete we remove the user from the
  array. Since the PO has a system agent we can ask the system agent at
  anytime, who has an open connection/session with the PO. Since system
  agents plug into econsole, the dba can go look any time.
  Any questions, please contact
  Chris [email protected] or
  Gary [email protected]
  MCI Systemhouse
  From: ADRIAN PEGGY LYNN
  To: [email protected]
  Subject: How to monitor who has what service object connection?
  Date: Tuesday, September 24, 1996 9:12AM
  Here at Eli Lilly & Co., we have a customer that would like to know if
  anyone out there has successfully
  devised a method to be able to tell what user has what service object
  connection. Basically, if a customer
  calls the system administrator with a problem with the application, the
  system administrator would like to
  be able to kill certain processes. Right now, the database connections
  running on the server all look the same.
  Some ideas were generated internally, one referring to setting up agents
  but we'd like to see if anyone
  has had success in doing this already that we could use as a contact.
  Thanks,
  Peggy Adrian
  Eli Lilly & Co.
  [email protected]

  Hello Peggy,
  I suggest that you make contact with Paolo Sidoli at DS Data (Italy). They
  have written a very nice package called DORE that includes trouble shooting
  utilities, that allow you to monitor what a remote user is doing (you can
  actually see their screen!).
  You can contact Paolo at [email protected]
  Best regards,
  Richard

• How to monitor ADFS 2012r2, Commercial services use HEAD and ADFS returns 500 instead of 200

  I have set up an on-prim ADFS and an off-prim ADFS.
  I want to use DNS Failover to monitor them and switch off-prim as required.
  I've tried both Amazon Route 53 and DNS Made Easy monitoring, and both appear to use the HEAD command rather than the GET command. How can I monitor these services? ADFS 2012r2 does not seem to support the HEAD command.
  curl -iX GET h t t p s ://fs.redclay.com/adfs/ls/idpinitiatedsignon.htm returns 200 whereas
  curl -iX HEAD ... or curl -I ... return 500 or just hangs forever.
  Only by the process of elimination have I come to the conclusion that the HEAD command is being used. I don't know how to sniffer SSL, but both DNSMadeEasy and AmazonAWS say the services are down when I know they are up.

  Hi,
  Would you please be more specific about your requirements?
  If you want to figure out how to use curl –iX command, you can refer to the Official Scripting forum below:
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  If you have doubts about your third-party software, I suggest you contact third-party support to get accurate answers.
  If you just want to monitor your ADFS servers, you can configure performance monitoring as this article guides:
  Configure Performance Monitoring
  http://technet.microsoft.com/en-us/library/ff627833.aspx
  Best Regards,
  Amy Wang

• How to monitor service failover in RAC?

  Ok, I'm sure I'm being thick here, but i've been looking all morning and I can't figure out how to monitor when a service fails over from a preferred to available node.
  I can't see any way to do it in OEM, and nor can I work out if it's supported by FAN
  Does anyone have any suggestions before I start screaming/clawing at the screen?
  Thanks
  Rup

  Hello Buddy,
  One of your users are using FAILOVER cause values SELECT and BASIC on query output. Another users connected on that moment no able to use FAILOVER probably caused by misconfigured TNSNAMES.ora file. Check it on client or apps server machines.
  I hope this help u.
  Sample of Tnsnames.ora
  PRD =
  (DESCRIPTION =
  (LOAD_BALANCE = ON)
  (FAILOVER = ON)
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = RAC1-vip)(PORT = 1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = RAC2-vip)(PORT = 1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = RAC3-vip)(PORT = 1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = RAC4-vip)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = your_service_name)
  (FAILOVER_MODE =
  (TYPE = SELECT)
  (METHOD = BASIC)
  (RETRIES = 10)
  (DELAY = 1)
  Cheers,
  Rodrigo Mufalani
  http://mufalani.blogspot.com

• How to monitor Local IP Pools on ASA

  Is there a way to monitor the availability or usage of Local IP pools on an ASA?  Maybe an OID string that can be pulled by an NMS system.  I would like to be alerted prior to the pool being exhausted.

  As far as I know you can check this from your external authentication server so if its cisco acs acting a s radius server for your vpn clients then check under reports and activities >> logged-in user. It will show you the connected user along with the ip address they have got.
  Lists all users receiving services for a single AAA client or all AAA clients. Users accessing the network with Cisco Aironet equipment appear on the list for the access point that they are currently associated with, provided that the firmware image on the Cisco Aironet Access Point supports sending the RADIUS Service-Type attribute for rekey authentications.
  Note To use the logged-in user list feature, you must configure AAA client to perform authentication and accounting using the same protocol—either TACACS+ or RADIUS.
  The same can be checked from the ASA by running
  show vpn-session db
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s7_72.html#wp1135352
  From ASDM go to Monitoring VPN >> sessions.
  Hope this helps.
  Rgds
  Jatin
  Do rate helpful posts~

• Adding RADIUS VSAs on ACS 3.2 SE

  I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
  Using RDBMS synchronization to import the csv file below.
  SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
  1,1,External,163,26,access=look,2334,1
  The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
  From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
  To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
  •V2 = IETF vendor ID (which in this case is 2334)
  •V3 = VSA attribute ID (1)
  •V1 = In this case 'access=look'
  After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
  From the FTP server I can confirm that the file was transferred.
  What I should get is an INFO message similar to:
  08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
  Any ideas as to what is wrong would be much appreciated.
  Cheers,
  Aylmer.

  HI you need to import the RADIUS VSA for PAcketeer from their site.
  The link to the steps as shown below is ( might require u to subscribe & login)
  https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
  IN any case the same content is copied below:-
  Also the stpes on how to do them is listed here
  Create a User Defined Vendor
  First, you need to create a User Defined Vendor.
  1. Create a text file (packet.ini) and enter the following:
  [User Defined Vendor]
  Name=Packeteer
  IETF Code=2334
  VSA 1=Packeteer-AVPair
  [Packeteer-AVPair]
  Type=STRING
  Profile=OUT
  2. Name the file packet.ini.
  Add the Vendor to the Database
  Next, you need to add the above vendor to the database.
  1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
  2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - Unassigned
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
  open slot.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  Adding or removing vendors requires ACS services to be re-started.
  Please make sure regedit is not running as it can prevent registry
  backup/restore operations
  Are you sure you want to proceed? (y/n)y
  Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
  Stopping any running services
  Creating backup of current config
  Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
  Adding VSA [Packeteer-AVPair]
  Done
  Checking new configuration...
  New configuration OK
  Re-starting stopped services
  Verify that Packeteer was added.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - RADIUS (Packeteer)
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  4. Return to ACS Admin and select Network Configuration.
  From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
  5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
  of the form. Be sure the Packeteer-AVPair box is selected and supply either
  "access=touch" or "access=look" in the available entry space.

• CSS Script for checking RADIUS Service

  Hi,
  We are using CSS 11501 boxes for load-sharing RADIUS (NAC) requests between different ACS Servers.
  How can I configure a keepalive method for checking the RADIUS service on the ACS Servers ?
  If this needs to be a script then Can anyone provide some hints\tips ?
  Thanks,
  Naman

  This needs to be a script.
  The best way would be to sniff a request/response from a known user [or fake user], then extract the udp header + payload in hex format, then create a CSS script to send the hex formatted query and to verify that the hex formatted response matches the server response.
  I believe the ap-kal-dns script uses a similar approach so you can look at it to get an idea of what you have to do.
  Gilles.

• How to monitor a specific transaction in Solution Manager ?

  Hi all,
  I have configured the Service Level Reporting and it works correctly.
  But i don't know how to monitor a specific transaction like SM21, DB02, FB01N etc... ?
  In the SL Reports configuration steps, we can configure this option : Select Business Processes For SL Report. I did a lot of tests but it does not work.
  Have i to configure the Business Process Monitoring ?
  Thanks.

  Hello,
  it depends a little on what you want to do. If you use the pure CCMS monitoring with the table ALTRAMONI you get average response time per instance and you only get new measurements once the status changes from green to yellow or red.
  In order to get continuous measurements you should look into Business Process Monitoring and the different documentations under https://service.sap.com/bpm --> Media Libary --> Technical Information. E.g. the PDF Setup Guide for Application Monitoring describes this "newer" dialog performance monitor. Probably you have to click on the calendar sheet in the Media Libary to also see older documents as well. As the Business Process Monitoring integrates with BW (there is also a BI Setup Guide in the Media LIbrary) you can get trendlines there. This BW integration also integrates back with SL Reporting.
  Some guidance for SL Reporting is probably given under https://service.sap.com/rkt-solman but I am not 100% sure.
  Best Regards
  Volker

• How to monitor OSD TS failure and get alert or report?

  How to monitor OSD TS failure and get some alert or generate an report?
  We have SCCM 2012 R2 CU1 with MDT 2013.
  I have checked the OSD reports in SCCM and everyone is emty, where do SCCM get data to the what to activate?
  (I thinking of "Task Sequence - Deployment Status" reports)
  I am not sure people read report manually or lock at the MDT monitor view. So best I think that generate an email or incident in Service Manager when an TS fails.
  We do have SCOM, SCSM, SCO.
  Is there anyone that can point what way or what option I have?
  /SaiTech

  Specifically you could use this Status Message Query syntax to monitor your Task Sequences for errors:
  select stat.*, ins.*, att1.*, att1.AttributeTime from SMS_StatusMessage as stat left join SMS_StatMsgInsStrings as ins on stat.RecordID = ins.RecordID left join SMS_StatMsgAttributes as att1 on stat.RecordID = att1.RecordID inner join SMS_StatMsgAttributes
  as att2 on stat.RecordID = att2.RecordID where att2.AttributeID = 401 and att2.AttributeValue = "DOJ200A1" and stat.SiteCode = "DOJ" and att2.AttributeTime >= ##PRM:SMS_StatMsgAttributes.AttributeTime## order by att1.AttributeTime desc
  Just replace DOJ200A1 with the Deployment ID of your Task Sequence and DOJ with your SiteCode.
  If you want to generate an alert if the TS fails then you could run a script that calls a utility (or similar) which sends a pre-configured email to a specified address (as an alternative to Torten's response). This could be placed in the built in error
  logging section of the SCCM integrated MDT Task Sequence when it fails which I assume you are using (right at the bottom, called Gather Logs and StateStore on failure).
  There are heaps of ways of generating an email from a TS and controlling error logging just do a search - as you have Service Manager you could even use your instance of Orchestrator and call a run book in your TS which does the email?
  Cheers
  Damon

• How to monitor all SAP Server through solution Manager?

  Dear Friends,
  How to monitor all SAP Server through solution Manager?
  Is it possible if yes then how? Please forward configuration and transaction also.
  Please help me as early as possible..
  Thanks,
  Regards,
  Sachin

  Hi sachin,
  You can monitor your sattilite systems through solution manager.
  If you want to monitor systems in solution manager means you need to configure those systems in solution manager.
  Before including the systems in solution manager we need to create a solution using tcode <b>DSWP</b>.
  After that you can include the systems using tcode <b>SMSY</b>.
  For configuring the systems we have lot of phases its very difficult to explain here.
  Try to login to<b> service.sap.com</b> and <b>help.sap.com</b> find the helpfull guides.
  i hope it will help you.
  any issues post it.
  kiran kumar.v