Services of ACS 4.2

Hello,
what are the ports used by the services of ACS 4.2 (deployed on Microsoft Windows 2003):
- CSAuth
- CSMon
- CSRadius
- CSTacacs
thank you.

The ACS will respond to local database queries fine, it is when it relays it to the active directory cluster that it fails. The ACS servers are on different subnets in different data centers, same with the AD servers. I checked the switch ports and have found no errors and no indication of dupe IP’s. In the ACS logs, is see the fail error as either a “External DB user invalid or bad password” or “External DB unknown error”.

Similar Messages

How to stop Radius/Tacacs service in ACS 5.2 ?

Hi, is there a way to stop the Radius/Tacacs service in ACS 5.2 from the GUI ?

There will be a more convoluted way to do it. Say for example want to do for RADIUS
- define an access service that should take all RADIUS request
- for identity policy authenticate against internal database and set the Advanced Option for "If user not found" to drop the request
This should silently drop all RADIUS requests
Can be done similarly for TACACS+

How to monitor Radius services on ACS 5.4

Hi All,
I want to monitor Radius services of ACS 5.4, In case of failure any radius service on ACS.
ACS should send alert to Syslogs or email notification
Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
Regards.

Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi

Issue with changing Access Service in ACS 5.2

Hi,
I am working on lab setup where I installed ACS 5.2 I created new access service and used it in existing service selection rule (Rule-2) earlier but it didn't work. Later I created new service selection rule and applied new service access rule. However even after this change it keeps applying predefined default access access service. Please refer attached picture for better understanding.
As shown, I want Aks-Rule to work and apply service 'Lab-Policy' however it keeps referring Rule-2 and applies 'Default Device Admin' access service even after I disable it.
I have to restart ACS service from CLI console to make it work. Is this a bug or am I missing anything. Please advise guys.
Regards,
Akshay

Since the policy AKS is top in sequence under service selection rule so it should hit for sure. As you wrote that even after disabling the default device admin, then also request is hitting the same and restarting the ACS services resolved the issue. The symptoms of your issue are exactly same as stated in this defect.
CSCuo93378 Certain browsers cause ACS database corruption
Due to this issue we have seen cases where request hits the disable and default policies without any reason. Actually accessing ACS via chrome mess around with all the operators in conditions.
The only workaround is to access all the rules and conditions in supported browser. Ensure all the operators are correct, save the changes and restart the ACS services.
The issue seems to be fixed in ACS 5.5 patch 5
Regards,
Jatin

How to monitor radius service in ACS 5?

Hi to all,
I have an ACS version 5 and the radius authentication is not working, i did a port scan to the ACS and I can't see the radius port open.
I tried to verify if the radius service is running but i can't find "where to" check that in this ACS 5 version, does anyone know where is that or what should i verify to see what the problem could be??
I also checked in the monitoring section but there is nothing matching radius authentication.
Thanks in advance for your help.

Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi

ACS 5.0 and Cisco common services integration

Hi all
Has anyone here successfully integrated Cisco common services into ACS 5.0?
I have successfully done this with ACS 4.2 but I dont think CS understands the new way to connect to ACS 5.
I have already read the following guide, it basically fails when you click the apply button under AAA mode in CS to connect to the ACS server.
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
So I can see port 49 connects but CS cannot access the web interface to deploy its authorization sets.
-Tacacs+ Connectivity Reachable
-HTTP/HTTPS Connectivity Not Reachable
Protocol mismatch detected.
Ive tried both http and https, get same error
Any suggestions would be helpful.
Cheers all
Dale

Answered by Cisco here
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&topicID=.ee71a02&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd43d08

ACS runtime service will not start

Needed to sync up the ACS with the NTP server, which required a reload of the ACS. Since the reload, the runtime application will not start. Log shows:
[UTC May 17 15:49:24] error    : 'runtime' process is not running
[UTC May 17 15:49:24] info     : 'runtime' trying to restart
[UTC May 17 15:49:24] info     : 'runtime' start: /opt/CSCOacs/bin/exec_wrapper.sh
[UTC May 17 15:50:24] error    : 'runtime' service timed out and will not be checked anymore
Unable to find any info on cisco.com knowldedge base. Have reloaded three times with same result. Any ideas?

Jessica,
There are numerous issue with services on ACS code 5.0, please upgrade it to ACS 5.1
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software >
5.0.0.21
Upgrading an ACS server from 5.0 to 5.1 (Installation guide)
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html#wp1167547
Regds,
JK
Do rate helpul posts-

Start and stop Cisco Secure ACS services using batch.

Hello.
I need to start and stop Windows service using a batch.
What is the correct order?
Thanks.
Andrea

Here is the batch file I use to stop and start services on ACS 4.x Windows and it works perfectly. @ECHO OFF net stop csmon >null 2>&1 net stop cslog >null 2>&1 net stop csdbsync >null 2>&1 net stop csauth >null 2>&1 net stop csadmin >null 2>&1 net stop cstacacs >null 2>&1 net stop csradius >null 2>&1 net start csauth >null 2>&1 net start csmon >null 2>&1 net start cslog >null 2>&1 net start csdbsync >null 2>&1 net start csadmin >null 2>&1 net start cstacacs >null 2>&1 net start csradius >null 2>&1 echo Complete restart finished exit 0

How to survive an ACS audit with aaa-reports!

For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
Below are some additional TDA specific tips:
Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

.

Not able to access ACS 5.1.0.44

                   Hi
I have two ACS appliance ver 5.1.0.44. I configured with replication and it was working fine. Last month my primary was down and not able to access but able to ping. I tried and Google it in Internet I couldn't find any answer to resolve the issue after reimage the appliance its starts work fine. Again now I am facing the same issue. Please advice without reimage how to resolve the issue.
Thanks and Regards,
Hameed

Please ssh into the appliance and issue a show application status acs:
ACS role: PRIMARY
Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'adclient'                  running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running
if you need to start any of these services manually for example the management service:
admin# acs start management
Thanks,
Tarik Admani

SCOM 2012 ACS agent Failed connecting to collector

Hi,
We are using SCOM 2012 on Windows 2012, when installing the SCOM agent with Audit Collection Services the ACS forwarder will report in as healthy until reboot, after reboot the forwarder state changes to failed to connect to collector. (XXX's are redacted
system information).
Forwarder unsuccessfully tried to connect to the following collector(s): XXXXXXXX:51909, status: 0x80090322 (TCP connect), source: registry addresses tried: XXX.XXX.XXX.XXX:51909 If the list of collectors is blank, then AdtAgent was unable to locate a collector.
Common reasons for this message are: The machine(s) listed is not online AdtServer is not running on the machine(s) listed AdtServer on the machine(s) listed is not listening on the specified port TCP connectivity to the AdtServer machine is blocked by firewall,
IPSec, or other filtering mechanism AdtServer on the machine(s) listed actively refused the connection (due to policy or current activity load) For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log
in the \temp subdirectory of the Windows directory.
Enabling trace logging repeats the same error, unable to connect to server. We have verified, the IP is correct, the FQDN is correct and has a forward and reverse lookup record. We have also verified via telnet that port 51909 is open in both directions.
Any help would be appreciated.

If you are 100% sure port 51909 is open at Collector's side (you don't need to open it on ACS forwarder) and there's no additional firewall somewhere at the middle use wireshark and capture what's going on.
--- Jeff (Netwrix)

ACS v5.5 authorization rules 320 limit

I am about embark on a large service provider ACS migration / installation and I suspect I am going to need more than 320 authorization rules, which is the limit stated in ACS v5.5 release notes.
Is the limit for the maximum number of rules for an Access Service, or for the ACS totally?

The limitation is for total acs
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#90057
Table 13 Limitations in ACS Deployments
Object Type
ACS System Limits
ACS Instances
22
Hosts
150,000
Identity Groups
1,000
Active Directory Group Retrieval
1,500
Network Devices
100,000
Network Device Groups
12
Device Hierarchies
6
All Locations
10,000
All Device Types
350
Services
25
Authorization Rules
320
Conditions
8
Authorization Profile
600
Service Selection Policy (SSP)
50
Network Conditions (NARs)
3,000
ACS Admins
50
9 static roles
dACLs
600 dACL with 100 ACEs each

ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

Hello
I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.
The use case is:
ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
Sometimes the username Access-Accept comes back with the domain suffix stripped.
The result of this is:
ACS logs a successful authentication with the sent username (with suffix)
ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
Subsequent accounting packets for the user appear in ACS (without suffix)
In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.
Post-proxy {
update outer.reply {
User-Name := "%{request:User-Name}"
I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?
Thanks
Andy

Don't think this can be done in ACS 5.5 when using an External Proxy Service Type.
Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.
Cheers
Andy

Cisco ACS 5.1 Tacacs with Juniper Srx 210

Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards

ACS 4.2.0 build124

Dear experts
We are using acs version 4.2.0 build 124 on windows server 2003. Our domain controller has been upgraded from 2003 to windows 2008 R2.
Now we are facing following error in ACS authentication for accessing our devices.
Error: AUTH 06/09/2012 11:55:40 E 1810 3316 0x8f21 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
if we restarted services of ACS server then users get authentiated fine.
Can anyone guide in this issue.
Regards
Sajeel

Hi Sajeel,
This is a known enhancement bug. Windows 2008 R2 is not supported with any version of ACS irrespective of platform.
Acs 4.2.x doesn't support all newer versions of Windows 2008. It only supports the below listed version.
Supported Operating Systems section
--Windows Server 2008, Standard Edition
--Windows Server 2008, Enterprise Edition
--Japanese Windows Server 2008, Standard Edition, Service Pack 2
--Japanese Windows Server 2008, Enterprise Edition, Service Pack 2
Link for System requirement and supported version
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Installation_Guide/windows/install.html#wp1041324
However, we have few option at this point which may suit your requirement:
1.] Rool back your AD to standard 2008 Non-R2.
2.] Replace AD with LDAP because we can use win 2008 R2 with LDAP as a protocol.
3.] Go for ACS 5.2 only for cases where we want DC to run on win 2008 R2
Related bugs and enhancement
Applicable where customer is trying to ACS windows or remote agent on the windows 2008 R2
CSCta35271 Support for Windows server 2008 R2
Applicable where customer is directing all the authentication request to AD/DC as 2008 R2
CSCtg37183 ACS 4.x doesn't support 2008 R2 Server for AD
CSCtg12399 ACS 5.1 did not support 2008 R2 Server for AD.
We have also seen this working in few instances but again it's not tested by Cisco so there may be issues that you may not afford in your production enviornment.
Regards,
Jatin
Do rate helpful posts-

Services of ACS 4.2

Similar Messages

Maybe you are looking for