NAR problem in ACS

Similar Messages

• Problem in ACS 5.2 on Virtual Machine

  Hi Everyone !
  I have a problem with the interface on the ACS 5.2 , The inferface work fine but going down unexpectedly and only if I make (for example) a ping to the default gateway it come back.  
  Please somebody can help me ??
  Regards.
  Rodrigo

  We say that it's not tested by cisco, You will be able to install ESX 4.1 just fine but there might be some issues with services/processes . In that case TAC won't support those issues. Vsphere is a Vmware  managment tool. ACs 5.x doesn't support/run on vspehere. ACS 5.3 should  officially support ESX 4.1
  Virtual Machine Requirements
  The minimum system requirements for the virtual machine must be similar  to the CSACS-1120 Series appliance hardware configuration.
  Table 6-1 lists the minimum system requirements to install ACS 5.2 on a VMware virtual machine.
  Table 6-1     Minimum System Requirements
  Requirement Type Minimum Requirements
  CPU
  Intel Core2; 2.13 GHz
  Memory
  4 GB RAM
  Hard Disks
  500 GB of disk storage
  NIC
  1 GB NIC interface
  Hypervisor
  VMware ESX 3.5 or 4.0
  Note You  can use VMware Server 2.x only for an evaluation version of ACS 5.2.  For an evaluation version, the disk space must be between 60 GB and 500  GB. Evaluating ACS 5.2
  For evaluation, ACS 5.2 can be installed in a VMware Server 2.x virtual  machine or a VMware ESX virtual machine. When evaluating ACS 5.2, you  can configure less disk space in the virtual machine, but a minimum disk  space of 60 GB is required.
  Rgds, Jatin
  Do rate helpful posts~

• Integration problem between ACS 5 and AD 2012

  Hi Guys,
  ACS 5.5 is installed on SNS-3415 appliance.
  Integration with Active Directory 2012 has been successfully completed.
  The problem which I'm facing that i can't see all the groups of AD under ACS, i see only few of them.
  Also if i created new Group in AD, i can't see it in ACS.
  I tried to add it manually on ACS, but still it is not working.
  Any clue?
  Regards,
  Rami

  Hi Rami,
  what kind of group is it. ACS support only LOCAL & GLOBAL groups.

• Tacacs problem with ACS 4.2 NDG and shell authorization sets

  Hi all,
  I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
  I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
  One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
  Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
  Thanks everyone....

  Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
  What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
  Thanks,
  Tarik Admani

• Problem with ACS 4.2 Database replication

  Greetings,
  I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:
  Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.
  The configuration apparently is ok. I am attaching the configuration from both ACS.

  The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:
  - I connected to the console and made a "show".
  - The IP was the correct one, but as indicated I made a "set ip"
  - The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"
  - I pressed Intro, because the IP is correct.
  - After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.
  - The second time it asked to check connectivity I answered No. and nothing happened.
  - We checked through the web but the "Self" IP was still 127.0.0.1.
  - So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.
  - In the web page the "Self" IP was the new one.
  - I made the process again changing the IP to the original one. This time also the system stopped and started all processes.
  - In the web page the "Self" IP was correct.
  - Now the replication worked correctly.
  So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.
  I hope this can help to other people.

• Problems with ACS View Eval

  Hi,
  i have installed the eval 4.0 ACS view.
  If i would generate a report following message, comes a windows with:
  Exeption
  Version Mismatch
  See Stack Trace
  Know someone a solution.
  Thank you.

  The problem was not enough disk space. My initial VM had only 32 GB. I got a larger disk and a 50 GB VM and the install went well.

• Problems witch acs 4.2 replication

  i installed the primary and secondary server.
  i see only one problem in the logs.
  when i try to replicate
  i get this :
  cisco acs 01/04/2012 23:50:58 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:40:25 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:29:51 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:19:16 NTVMEM73 INFO
  further no issue
  can someone helps me

  Hello,
  There are still important files missing. Are both ACS servers configured for Full Detail of logging?
  Also, are you selecting the following when collect the package?
  There are still missing files on the package.cab file that I need. Please try again with the above settings.
  Regards

• AD Link Problem with ACS 5.2

       Hello at all,
  we have a Problem with a ACS 5.2. We have installed the Software on a VMware. The Machine ist running without Problems.
  Now i would like connect to our AD. The connection is o.k but i can not see any Groups when i make a search.
  I get a failure Message in the CLI:
  *** glibc detected *** corrupted double-linked list: 0x43b77858 ***
  Did anyone know this Message?
  Thanks for help.

  Hi Erick,
  thanks for your Answer.
  I can solve this Problem. I have Installed the ACS Version 5.2 but without the new Patch.
  With this Patch i can connect to the AD and can see all Groups.
  regards
  Andreas

• Acounting problem at ACS

  i configurated ipsec remote vpn at asa. user authenticate from acs via radius protocols.all of them are ok but we do not see user name, ip address mac-address at acs.
  what must i do?? i must be do any configuration at ASA or ACS?
  this is my asa configuration part for vpn.
  aaa-server cosmoasa1 protocol radius
  aaa-server cosmoasa1 (inside) host 192.168.193.xx
  key cosmoasa1test
  radius-common-pw cosmoasa1test
  aaa authentication ssh console LOCAL
  group-policy RAVPN attributes
  dns-server value 192.168.193.10 192.168.193.11
  vpn-idle-timeout 45
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel
  default-domain value azercosmos.local
  tunnel-group vpnclient type remote-access
  tunnel-group vpnclient general-attributes
  address-pool VPNPOOL
  authentication-server-group cosmoasa1
  default-group-policy RAVPN

  Did you fix that problem???
  I got exactly the same one and would need an idea!
  Many thanks
  Roland
  [email protected]

• Problem with ACS Server

  Good morning;
  I hope this is the right forum so here it goes. I have an ACS server v4 that keep hanging. If I try to restart the server (CSAuth), the service hangs and the only thing I can do is restart the server. Is there something I can do to fix this or troubleshoot it better?
  Thanks

  Good morning,
  I have the same problem with an ACS 3.3.3 that occasionally restarts CSAuth for a configured function to proceed, but the service keep hanging.
  Have you find any solution?
  Thanks

• Problem with ACS 4.1 using certificate

  I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
  Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
  The switch's port were configured as follows:
  aaa new-model
  aaa authentication dot1x default group radius+
  dot1x system-auth-control
  interface GigabitEthernet1/0/4
  switchport mode access
  dot1x mac-auth-bypass eap
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout tx-period 3
  dot1x reauthentication
  radius-server host (ip address) auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key password
  What am I doing wrong or there is something left???

  1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
  2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
  3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
  Regards
  Farrukh

• RDBMS Synchronization problem in ACS Appliance 3.3

  Hi,
  I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
  Thanks in advance
  Best Regards,
  Ahmed

  The format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
  I have attached a sample accountsAction.csv file for you.
  (i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
  (ii) The NDG michasisX has been added.
  (iii) The device C7609-X has been added to the NDG michasisX
  Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
  Then you can add the devices as per the sample file attached.
  Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
  Hope this helps,
  Soumya

• Problems upgrading ACS 3.3 to ACS 4.0

  I have a Cisco ACS server 3.3 running on a win2k platform and i have to upgrade to ACS4.0 on win2k.
  - backing up 3.3 and restoring files on 4.0 using web interface doesn't work;
  - the same operation using csutils.exe doesn't work (csutil -b [...] and then csutil -r [...])
  - i have installed the new machine with ACS3.3, i have imported user/group/data with csutil, then i have installed ACS 4.0 using setup.exe; the result is that ACS's services fail to start
  Any idea?!
  THX a lot.

  Hi Antonio,
  - backing up 3.3 and restoring files on 4.0 using web interface doesn't work.
  *It wont work, as in ACS we can backup and restore database among ACS's of same versions only, same applies for replication.
  - the same operation using csutils.exe doesn't work (csutil -b [...] and then csutil -r [...])
  *Answer will be same as above.
  - i have installed the new machine with ACS3.3, i have imported user/group/data with csutil, then i have installed ACS 4.0 using setup.exe; the result is that ACS's services fail to start.
  *Normal cause for this is that you might be hitting a bug, according to which when we try to upgrade a database of ACS 3.3(x) build xx to ACS 4.0 and we have trailing spaces in AAA client and/or AAA servers entry in databaae, then that may cause an issue. But we may not be hitting that bug.
  Correct way to upgrade :
  [1] Verify we are following correct and supported upgradation path :
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/rnwin401.htm#wp37488
  [2] Then follow following steps to upgrade :
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/install/install.htm#wp1041858
  Summarizing above link, just run setup of ACS 4.0 over existing setup of ACS 3.3, and setup will prompt you itself, to save previous configuration, select yes at that point.
  Let me know if this helps.
  Regards,
  Prem

• Tacacs+ problem with ACS 5.2

  I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
  Switch#
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  Your kind help will be highly appreciated.

  Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
  YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

• Authentication Problem with ACS 5.2 Using LDAP

  HI!
  I  want to use LDAP for connecting to active directory but I get this   Error from ACS 5.2 ( 22056 subject not found in the applicable identity  stores).Is there anyone who can HELP me?
  I used this configuration in ACS 5.2:
  Users and Identity Stores / External identity store / ldap / Directory Organization
  Subject ObjectClass : User
  Subject Name attribute ; sAMAccountName
  Group ObjectClass : Group
  Group Map Attribute : MemberOf

  Two questions:
  - did you press "Test Bind to Server" from LDAP "Server Connection" tab and "Test Configuration" from "Directory Organization" tab?
  - did you select the LDAP database as the result in the identity policy?