Maximum "Internal Hosts accounts" on ACS 5.2

Similar Messages

• Creating internal user account in ACS 5.2

  I have an ACS 5.2 server integrated with Active directory . Now i need to create an internal user account to login to some radisu devices using internal user database  .I have near about 600 users all are authenticating through AD .
  Regards ,
  Sandeep

  There is system account in ACS ,which is using to run the scripts . in AD the same account is cerated as a service account and last day the account got expired .we extended that account but its not working ,As per AD team there is no issue from AD side .but we are unable to login to the devices using that account .when we are running the script contineous failed attempts is coming .
  So now we need to create an internal account for testing purpose .
  I have created the same and issue got fixed .

• [ACS 5.4] Add Internal hosts using API

  Hi,
  I tried Machine authentication after importing MAC Address in internal hosts.
  Is it possible to use ACS API to import those MAC Address?
  I want to develop a specific web interface for support to do this action.    
  Thanks for your help,
  Patrick

  Hi Horst,
  Currently this feature is not there, you cannot use filters based on admin created attrbutes,
  An enhancement is already open:
  CSCui17182 ACS user filtering using custom attribute
  Supposed to be included in 5.5, but it was not, so you can look forward to it on future ACS patch.
  Save this ID on the bug search and you will get a notification.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Python Script to add internal hosts on ACS 5.2

  Hi,
  is there any example how to add/remove a internal host via python script, like you would do it via the GUI under "User and Identity Stores -> Internal Identity Stores -> Hosts" ?
  regards
  Dirk

  Hi Dirk,
  where do you plan to run your script ? on a server external to the ACS I guess right ?
  Then the question is more "is there a way to add a user through CLI on ACS" because that is what the script would be using right ? And there isn't such a way to my knowledge.
  Nicolas
  ===
  don't forget to rate answers that you find useful

• Command accounting with ACS

  HOw can I achive command accounting via acs I have configured devices as below but no luck
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  any idea about it

  Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
  aaa new-model
  aaa group server tacacs+ bwaaa
  server 10.2.6.1
  server 10.2.6.2
  ip tacacs source-interface Vlan1111
  aaa authentication login aaa-list group bwaaa local
  aaa authentication enable default group bwaaa enable
  aaa authorization exec aaa-list group bwaaa local
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  aaa session-id common
  tacacs-server host 10.2.6.1 timeout 25
  tacacs-server host 10.2.6.2 timeout 25
  tacacs-server timeout 25
  tacacs-server directed-request
  tacacs-server key cisco123

• How can I map SSH from an outside network range to an internal host (ASA 5505)

  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  - External network range that needs SSH access: 8.8.8.0/24
  - Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)
  - Inside Network: 192.168.100.0/24
  - Inside host to redirect external SSH to: 192.168.100.98
  Hi All,
  I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought.
  Can anyone help with this? What commands should I enter to accomplish mapping SSH from an outside network range to an internal host?
  Many thanks,
  Tarran

  This may or may not work depending on how your modem handles the natting. On your firewall try this -
  static (inside,outside) tcp interface 22 192.168.100.98 22
  then add this to your acl on the outside interface of your ASA -
  access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22
  if you don't have an acl applied then add this extra step -
  access-group outside_in in interface outside
  Jon

• ACS 5 : 24463 Internal error in the ACS Active Directory

  I am configuring ACS 5.
  I have group in AD created. There is 2 users in the group. Usera are from different OUs.
  One user get authenticated.
  The other failing to get trough authentication with following error:
  24463 Internal error in the ACS Active Directory
  Could anybody help?
  P.S. I have something to add.
  It works for some users and does not for others. I have created new user and it worked.
  So it looks it is sometjing in user properties of groups it belongs to.

  This is Bug
  CSCsx94072

• Adobe Connect 9 for hosted accounts

  We have a hosted Adobe Connect account. We were notified that our hosted account would be upgraded to AC9 automatically on December 9th, but AC9 features are not enabled. What does our Administrator have to do to enable Adobe Connect 9 new features?

  You asked durrning Adobe's shutdown week, so the answer is slow in comming. As I recall, I had to log out and log back in for the new version 9 features to wake up, but it may have been a browser cookie issue. If you truly don't have Connect 9 (you can double check by mousing over the "Help" link on the login page and it will show your version of Connect), then you should call support at 800-945-9120.

• Internal Bank account

  Hi,
  We have created an Internal bank account and assigned it to the operating unit, but while creating Payment Process Request this Internal Bank account is not getting listed in list of values. hence we were not able to complete the PPR request. Kindly clarify how the bank account can be made to available for PPR.

  Hi,
  Please refer R12 Cash Management User Guide "121ceug.pdf" page 351 chapter 9 "Cash Transactions'
  Thanks,
  Ram

• ASA 8.2(1) Global and NAT statements, natting certain internal hosts

  Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
  I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet.  We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic.  I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
  Thoughts on how to accomplish this?  Thanks!

  Hi,
  To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
  Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
  In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
  This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
  global (outside) 1 interface
  nat (inside) 1 10.10.10.0 255.255.255.0
  So the above is probably the type of configuration you have at the moment?
  For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
  global (outside) 2 1.1.1.1
  nat (inside) 2 10.10.10.1
  nat (inside) 2 10.10.10.2
  nat (inside) 2 10.10.10.3
  If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
  Without seeing the configurations I dont think I can say much more.
  Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
  For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
  packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
  This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
  Active translations on the firewall you can show with the command
  show xlate
  It does have a lot of additional parameters after the "xlate" if you want to have more specific output
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• Categories, International, Itunes account

  Hi,
  I would like to submit a podcast that has a global audience as target. Since I am from Germany and my itunes account is naturally also German, I am worried that my podcast will only show in the German directory. Do I have any influence on that? If I had the choice I'd rather have it in the US-itunes.
  In the rss I declared "english-us" as default language, does that help?
    Windows XP  

  Texas Mustang,
  There is no international iTunes Store, and there is no such thing as an international iTunes account.  There are 120+ individual country stores, each open only to people who have a billing address in that country and who are physically in that country at the time of purchase.
  If you meet those criteria in your current location, you can either change your account to the new country, or start a new account in the country.

• HT2534 How do I get an international iTunes account setup. I am living in Mexico for a few months and was told by nbaleague pass that I needed an international iTunes account.

  I was told by NBAleague pass that I needed an international iTunes account and I do not know how to sign up for one.
  Thanks

  You can create a new account on your iPad e.g. tap on your existing id in Settings > iTunes & App Stores and log out of it and you should then get a 'Create New Apple ID' option.
  If you want to create an account without giving credit card details then log out of your existing account and then follow the instructions on this page for creating it : http://support.apple.com/kb/HT2534 i.e. log out and then go to the App Store app and find a free app, tap on its free 'price', tap 'install app', then tap 'create new Apple id' and select your country's store and create an account.

• Hi, i have a second hand iphone 4s and i made a AppleID and everything was ok, but when I turn on the icloud, i write the appleID and the password but then appears a error message saying: "This iPhone has been activated the maximum number of accounts"

  Help me how can i put/activate my icloud account

  If you are getting that message you will not be able to create a new iCloud account on your phone because the maximum number of accounts has alread been created.  Your only options are to either re-use one of the accounts previously created or create a new account using a different iOS device or Mac, if you have one.

• Custom 404 w/Shared Hosting Account

  I'm running on a shared hosting account and am working with
  one of the technicians who says he enabled the "check if file
  exists" setting in IIS, which should force ColdFusion to use IIS'
  default 404 handler.
  The problem is, it's not, and I while I'm still working with
  him I'm worried they may decide to not waste time on this for me.
  Should this end up happening, are there any other options for
  enabling a custom 404 for .cfm files without having access to
  ColdFusion Administrator? I've seen some talk of doing it with a
  .cfc, but (as I posted in another thread) I need a quick primer on
  application.cfc versus .cfm, and information on what ColdFusion
  version is required.
  Basically I'm trying to come up with a way to parse
  non-existent URLs like this:
  http://www.mydomain.com/username
  --------------------->
  http://www.mydomain.com/file.cfm?user=username

  Why is he going through the App Mappings tab? What does that
  have to do with specifying a custom 404 template? There is a
  specific tab in IIS already for custom errors. You just edit the
  one for 404 to point to your script wherever it may live.
  Aside from that, do you have access to your own CF admin
  console? You might have already thought of this, but you don't have
  to mess with IIS to create, or point to, custom 404 pages if you
  don't want. You can use CF by specifiying a Missing Template
  Handler. Then you can use CFIF tags to tell it what kind of message
  to display based on which one of your web site domains it's coming
  from since it is actually a global handler.
  Btw, a full restart should not be necessary. Sounds to me
  like the technician doesn't know what he's doing.
  Probably more questions than answers, but hopefully this
  gives you some direction. If you have Windows XP or 2003
  Professional on a PC you can very easily set up IIS and ColdFusion,
  run them from under
  http://localhost and test all these
  things yourself. That's what I would do.

• Outbound web request to internally hosted (natted server)

  Hi, I've got an issue with hairpining traffic on the ASA, it's a bit different to the usual VPN in/out query, not sure of the best way to approach this:
  [example names/IPs used]
  a)Web server hosted in dmz. External DNS resolves www.example.com to 8.8.8.10, ASA NATs 8.8.8.10 (outside) to 192.168.1.10 (DMZ)
  b)Outbound web request (from internal network client) 10.0.0.1 is natted to source 8.8.8.9 (outside) - doesn't use a proxy and uses external DNS.
  Web browsing to externally hosted sites works fine (as you'd expect), inbound web requests from foreign addresses works fine. When internal client browses to www.example.com, request fails.
  I assume this is because the outbound request is Natted to originate from 8.8.8.9 and destined for 8.8.8.10 which is on the same interface on the ASA.
  As the client is not using a proxy I cannot manipulate or redirect the request at this level.
  What would be the best way to address this issue? Would I create some kind of NAT exception/configuration like :
  source=10.0.0.x destination=8.8.8.10 NAT to source=10.0.0.x destination=192.168.1.10? meaning I would have multiple NAT rules (for multiple internally hosted servers) or is there a better way of doing this (given I am working with the outside interface which will include public traffic)? 

  So inside hosts are trying to access www.example.com using an external DNS.  is the 8.8.8.10 address being fully NATed to the 192.168.1.10 address or is PAT being used (only specific ports being NATed).  the reason I ask is that an option would be to use DNS doctoring but this is not supported when using PAT.  this is done by adding the dns keyword at the end of the NAT statement.
  What version ASA are you running?
  Another option would be to NAT the 8.8.8.10 to 192.168.1.10 from the inside to the DMZ.  NAT exemption will not work as that just prevents NATing from taking place.  You would need to NAT traffic destined for 8.8.8.10 on the inside interface to the DMZ.
  Both options are good options, but if possible I would go with the first option.