Non-ACS vs. ACS

Similar Messages

• MS Peap,XP SP1,Non Cisco Card, ACS 3.2,Ap1200

  Hi,
  I am trying to set up MS Peap with the required hardware. I have read through the document ID:43486. In this, the software they use to test for AP1200 was 12.01T.
  My query is that I am running 12.2(13)JA3 the latest and greatest on Ap1200. Will it work for Peap or I can only setup Peap with the 12.01T.
  Can you please recommend any documentation. Since a month I am trying to get it working.
  Hardware:
  ACS 3.2
  Linksys Wireless Card
  Xp Sp1
  Regards
  Khaleefa Mahmood

  Yes, 13JA3 works with PEAP just fine.

• ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

  Hi All ,
           I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
  Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

  Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
  you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

• ACS Appliance, ACS View support in CiscoWorks

  I have added the acs appliance into ciscoworks (3.1) and I dont see a listing under security for the appliance. I left blank and after initial inventory CW comes back and says it is a call manager. I shudder to think of trying the new ACS View appliance. Any thoughts on how to resolve? Any experience?
  Thanks,

  Hi David,
  Please post the sysObjectId for this device.
  1) Go to Device Troubleshooting - Device Center.
  2) Type in your device's IP address in the field and click Go.
  3) Select from the Tools menu the SNMP walk option.
  4) Type in your device's IP address if it is not already there.
  5) Type the read community string or SNMP v3 credentials that your device uses.
  6) Type .1.3.6.1.2.1.1.2 in the Starting OID field.
  7) Check the "Output OIDs Numerically" checkbox.
  8) Select SNMP version 2c or v3.
  9) Click OK.
  10) Please send the results.
  You can also check the support for that device based on the sysObjectId on the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html
  Andres
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  If this post answers your question, please click the "Correct Answer" button

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• Cisco ACS 4.2 migration to ACS 5.4 advice

  Hello all, we are planning migrating off our ACS 4.2.0.124 ( non appliance ) to ACS 5.4. I'm looking for any advice or tips from anyone that has done the migration.
  Is the migration tool intrusive or can it be run at anytime?
  I thought about not using the migration tool and do a new install however we have a few hundred MAC address entered for a Mac authenticated SSID as well as about a 100 switches and routers for TACACS.
  We have about a half dozen WIreless Controllers that use AAA with a mix of SSID's that are doing WPA2 with Mac authentication, LEAP, and, PEAP. We also use TACACS for routers and switches and AAA for anyconnect users.
  Any advice on the migration process would be appreciated.
  Thanks,
  Dan

  Actually I managed to copy/paste from the ACS4.2 to the CSV file. The passwords will not be imported though so you have to reset the password for all users and let them change it.
  If I were you I would have use the import utility to migrate users to keep the password then I will update the information of users (including group membership) via update template CSV file.
  The migration I used before included few users that I could create on the spot and ask them to reset the password.  Most of the data were MAC addresses for MAC auth and IP addresses for TACACS+ AAA clients (switches, routers...etc).
  If you have too many users then the migration tool is your friend to get them imported without having to reset the password.
  It is also important that you read the migration guide before you use the utility. You'll find valuable information about what will be imported and how. What data will be maintained and what will not.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Patch rollup for Cisco Secure ACS 4.2 fails.

  I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations.  I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches.  The application begins running fine but fails on upgrading the database and then none of the ACS services would start.  I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again.  What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
  Thanks

  Thanks for the feedback.  I attempted the patch rollup install again and it failed in the same place - on the database upgrade.  I did think of one thing.  Do I need to have my antivirus/protection services disabled prior to installing the rollup?
  Also my versions are as follows:
  Server OS - Windows Server 2003 R2
  Cisco Secure ACS - 4.2.(0) Build 124
  Thanks,
  Richard Jaehne

• LMS 4.x -- Integration of ACS v5.x

  Hi all,
  I was wondering why LMS 4.x isn't able to fully integrate ACS v5.x Device in Inventory.
  We added our ACS-Applicance (plz see show ver)
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: A1
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40
  Internal Build ID : B.839
  but only little integration was possible (no detailed inventory, no config fetch, ...)
  SNMP-OID was discovered as non-cisco (Prime Computer)
  dcrcli> detail id=3642
  Display Name = A-1, Device ID = 3642
       MDF Type : Unknown Device Type
       Sys Object ID: 1.3.6.1.2.1.47.1.1.1.1.13.1
       IP Address: 10.100.207.11
       Host name: A-1
       Domain name: xxx.net
       Primary Username: <Value specified>
       Primary Password: <Value specified>
       Primary Enable Password: <Value specified>
       SNMP V2 RO Community String: <Value specified>
       SNMP V2 RW Community String: <Value specified>
  No Inventory-Packages are available via CCO to download.
  Does anybody of you out there know whether there are any plans to fully integrate ACS devices?
  In our Company ACS will be used for 802.1x authentication, and is quite important.
  So we would like to fully manage this Cisco-Device with Cisco's element management tool available (LMS)!
  Thanks for any feedback
  Lothar

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• CS ACS 4.2 services stopped and can't be restarted

  Hi all,
             After the ESX server on which the CS ACS server on has crased, the following services has stopped and can't be restarted: CSlog, CSDbSync, and CSAuth. I have tried manual, and auto start, but none work.
  Does anyone has run into this before, if so what was the fixe? Do I need to reinstall in the ACS software?
  Thanks,
  Jean Paul

  Easiest way to proceed would be to take a backup of the ACS, reinstall ACS and reload the backup. If not check the event viewer to see if there is any error message generated when starting the services

• ACS 4.1 support with Windows Server 2012 Domain controller

  I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
  In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
  Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
  Regards,
  Junaid

  Junaid,
  ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
  ACS 5.4 patch 2 supports Windows 2012 AD.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
  Regards,
  Jatin
  **Do rate helpful posts**

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

• ACS 5.3 Occurred At: Tue Sep 10 04:00:00 IST 2013 Cause: Purge Configuration Repository not configured

  hi team,
  I am runing ACS 5.3 version and i am getting error messages like below
  System Alarm [Database Purging]
  Mon Sep 09 04:00:00
  Incremental Backup Not Configured
  System Alarm [Database Purging]
  Sun Sep 08 04:00:00
  Purge Configuration Repository not configured
  Cause:
  Purge Configuration Repository not configured
  Details:
  Configure Remote Repository under Purge Configuration which is used to take a backup of data before purge.
  Cause:
  Incremental Backup Not Configured
  Details:
  Incremental backup is not configured. Configuring incremental  backup is necessary to make the database purge successful. This will  help to avoid disk space issues. View database Size is 1.27GB and size  it occupies on the harddisk is 1.22GB.
  Could any one provide solution to overcome this issue.

  Hi,
  I guess I've seen this before even we've repository and incremental backup configured fine on ACS. One reason could be for the above alarms is the configuration on the GUI might not have taken over completely in the database and alarms will trigger due to that. Please restart the services of the ACS or reload the ACS in off production hours.
  acs stop
  acs start
  OR
  reload
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 5.3 applying patch

  Hello,
  I have problem with applying patch on ACS 5.3. In release notes there is mentioned following command format:
  acs patch install patch-name.tar.gpg repository repository-name
  The problem is ACS 5.3 does't have this command syntax.
  It does't have acs command.
  Here is what i have trued:
  acs/admin# patch install 5-3-0-40-1.tar.gpg rep
  Do you want to save the current configuration ? (yes/no) [yes] ?
  Generating configuration...
  Saved the running configuration to startup successfully
  % Manifest file not found in the bundle
  repository rep
    url ftp://172.30.5.217
    user user password hash c7b11123e528660abea78d974339875394fbb234
  Here is supported command that i found on ACS 5.3.
  acs/admin# ?
  Exec commands:
    application  Application Install and Administration
    backup       Backup system
    backup-logs  Backup system and application logs
    clock        Set the system clock
    configure    Enter configuration mode
    copy         Copy commands
    debug        Debugging functions (see also 'undebug')
    delete       Delete a file
    dir          List files on local filesystem
    exit         Exit from the EXEC
    forceout     Force Logout all the sessions of a specific system user
    halt         Shutdown the system
    mkdir        Create new directory
    nslookup     DNS lookup for an IP address or hostname
    patch        Install System or Application Patch
    ping         Ping a remote ip address
    reload       Reboot the system
    restore      Restore system
    rmdir        Remove existing directory
    show         Show running system information
    ssh          SSH to a remote ip address
    tech         TAC commands
    telnet       Telnet to a remote ip address
    terminal     Set terminal line parameters
    traceroute   Trace the route to a remote ip address
    undebug      Disable debugging functions (see also 'debug')
    write        Write running system information
  acs/admin#

  Hi,
  I find this odd, can you run a "show application"
  Here is the output of my ACS -
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40.4
  Internal Build ID : B.839.EVAL
  Patches :
  5-3-0-40-2
  5-3-0-40-4
  gdtsrv-acs5/admin# ?
  Exec commands:
    acs          ACS control commands
    acs-config   ACS config mode
    application  Application Install and Administration
    backup       Backup system
    backup-logs  Backup system and application logs
    clock        Set the system clock
    configure    Enter configuration mode
    copy         Copy commands
    debug        Debugging functions (see also 'undebug')
    delete       Delete a file
    dir          List files on local filesystem
    exit         Exit from the EXEC
    forceout     Force Logout all the sessions of a specific system user
    halt         Shutdown the system
    mkdir        Create new directory
    nslookup     DNS lookup for an IP address or hostname
    patch        Install System or Application Patch
    ping         Ping a remote ip address
    reload       Reboot the system
    restore      Restore system
    rmdir        Remove existing directory
    show         Show running system information
    ssh          SSH to a remote ip address
    tech         TAC commands
    telnet       Telnet to a remote ip address
    terminal     Set terminal line parameters
    traceroute   Trace the route to a remote ip address
    undebug      Disable debugging functions (see also 'debug')
    write        Write running system information
  Tarik Admani
  *Please rate helpful posts*

• After upgrading ACS 3.3.1 to 4.2 on windows the local database is not working

  Hi,
  I have upgaded the ACS 3.3.1 for windows server to 4.2. Everything went fine but the local database is not working.
  The CD is an upgrade kit from 3.x to 4.2 on windows. I tried to install directly the 4.2 I was able to install but integration with AD/LDAp is not working. Anysay its an upgrade kit so I cant expect it shoud work when install drectly the 4.2 but by upgrading from 3.3 to 4.2 everything should work fine.
  I followed the upgradation path as recomended.
  Also we have a requirment that once it is upgraded to 4.2 we need to shift the whole thing from the physical server to a virtual machine on VMware ESX server 3.5.
  Can anybody pls guide me if anything else to do after the upgradation.
  Thanks & Regards
  Sachi

  Hi Javier,
  First of all I was facing a problem of restoring the old database of 3.3 to 4.2. Somehow I overcame that issue by following the below steps. Now local authentication is working fine but AD/other External database authentication is not working. As you told the setting for the unknown users are configured to fetch the credentials from the external database if it is not in the local database.
  Do we need to do anything in the AD itself?
  Regards
  Sachi
  Steps for ACS upgrade to 4.2 version
  Below are the requested steps mentioned for the up gradation from ACS 3.3.2 to ACS 4.2.
          1)     Take a configuration backup from existing ACS. ACS--->System
  configuration----> ACS Backup
  2)    now if you have  ACS 3.3.2 on server. take backup of the ACS
  3)   Insert the cd or if you have the set up on the system then  Run the setup of ACS 3.3.4. During the process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 3.3.4 upgrade.
  4)     Once you are at 3.3.4, take a backup and keep it handy.
  5)     Run the setup of 4.1.1. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.1 upgrade.
  6)Once you are at 4.1.1.24 take a backup and keep it handy.
  7)     Run the setup of 4.2. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.2 upgrade.
  8)     Once you are at 4.2 take a backup and keep it handy. Now run the
  patch 12 and take a backup again.
  9)     Now fresh install 4.2 on your new production server and install patch
  12. Restore the 4.2 patch 12 backup and you should be all set.

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem