SNMP configuration on ACS appliance

Similar Messages

• ACS Appliance configuration issue.

  When I attempt to configure the ACS IP address I am getting the following error:
  "Error; Failed to get NIC configuration: <null> <FFFFFFFF>"
  The device is connected to a working ethernet port and the the physical layers have been eliminated. Aside from starting from scratch, can anyone suggest a way out of this problem?

  you need to reimage the ACS appliance.

• Configure the ACS 5.1 appliance to connect to the AD

  Pls advise.
  This is a new installation.I did to configure the ACS to connect to the AD to authenticate users and retrieve the user information for group mapping as following step.
  Go to Users and Identity Stores > External Identity Stores > Active Directory, and enter the domain
  name and provide a username/password that will allow connect to the domain.Next, click on the Test Connection button to validate joining the domain.
  I got success test connection. But when I click Save Changes. I got error .
  How the problem is fixed ?
  Best Regards
  Boonkiat

  Hello Boonkiat,
  I am glad Nicolas was able to provide you the information. Just to inform you that Nicolas is presentaing a LIVE webcast on Cisco Wireless CleanAir.
  https://supportforums.cisco.com/videos/2296
  Please register and get more info from Nicolas.
  Thanks,
  Vinay Sharma
  Community Manager - Wireless
  Cisco Support Community

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• Adding a Custom VSA to a Group - ACS Appliance

  Hi,
  Using a secure ACS Appliance 4.0
  I want to add a new RADIUS Vendor and its associated VSA to the ACS configuration. This will then be returned during Authorization.
  I have already added the new Vendor and the required VSA through RDBMS. I can now see the new vendor as RADIUS (vendor) in NAP Profile etc
  However I cannot seem to find a way that how would i set the Value of the Added VSA ? And assign it to a particular group ? I cannot seem to find that VSA anywhere.

  Add a AAA client with "Authenticate using" Radius(vendor)
  then go to Interface Configuration and enable VSA for Group/User
  ~Rohit

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS appliance External Auth to NT 4.0

  Hi
  I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
  Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
  Thanks

  The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
  It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
  The release notes/install guide for it is here:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

• New ACS appliance not showing FQDN hostname in GUI

  I've installed two new ACS appliances in our environment running 5.3.  I've just configured the basics to get it on the network (ie DNS, default GW, IP address).  Looking at both running configs, they are identical with exception to the IP addresses.  On one appliance in the GUI next to the user name in the top right hand corner, the hostname is "acs01".  In the GUI on the other appliance, it shows "acs02.corp.mycompany.com".  This is a minor issue but its bugging me.  Anyone have an idea what is going on?
  In both appliances, this statement is identical in the show run:
  ip domain-name corp.mycompany.com

  Hi,
  So you are using a hardware RAID5 in storage pool as a hard disk. Now you added one more hard disk to the RAID5 with the tool "Dell Server Administrator" but it is not recognized in storage pool.
  I think it will not work as hard disk size cannot be changed after storage pool is created. It is by default.
  However why you use the hardware RAID in a storage pool? A hardware RAID seems enough for your storage requirement.
  If you have any feedback on our support, please send to [email protected]

• Apply patch to acs Appliance

  I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
  Some were I read that is necessary a tomcat server?
  Please help
  adi

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• ACS Appliance Upgrade

  I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

  Hi,
  Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
  If I am not mistaken, the error you're getting was due to unavailability of distribution server.
  If you stuck with the image transfer, try to use CLI/console mode.
  Typicall upgrade method has 3 steps:
  1. Load new image (download from Cisco or using CD) onto a distribution server.
  2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
  3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
  Refer to the following url for complete upgrade processes & options:
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
  Rgds,
  AK

• ACS Appliance Hardware functionality

  Just received a new ACS Appliance and in testing out the functionality I've encountered a couple of curious issues...
  Shutdown -- Have tried doing shutdown from both HTTP and Serial connections. Command is accepted and the hard drive light flashes for a bit and then nothing. It does not power off, don't get a message on the serial console saying it is OK to power off. Waited 20 minutes then used the power button. Seems to conflict with the doco.
  Can we/How do we use the second Ethernet port? Don't see anything about how to configure it in the doco but when I plug a cable in I do get lights indicating it is active.
  I have been able to complete basic configuration and do have connectivity and authentication against Internal User, still fiddling with getting communication with our LDAP User database, So the unit does function.

  For the 2nd ethernet connection, the doco here (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1040777) gives the answer:
  Ethernet Connectors
  Your system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. Cisco Secure ACS Solution Engine supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.
  Each NIC is configured to automatically detect the speed and duplex mode of the network.
  Note The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported.
  For the shutdown issue, not sure, haven't seen that before.

• Migrating from Windows to the ACS appliance

  I'm in the process of migrating ACS from Windows to an appliance. I did a recovery and I chose to restore the DBs and the system config. However, I'm getting emails from the appliance with the name of the old windows machine where ACS was running. I guess this a result of restoring the system config. Does anyone know how to configure the emails to be sent with the current appliance name? And it is not possible, how can I restore the appliance to factory defaults so I can do the recovery again only for the DBs? Many thanks,

  well ... the easy way out is to re-image the ACS appliance and then replicate between the Windows server and the appliance . This will replicate all your settings from the windows ACS to appliance except the external database configuration that you need to manually configure.
  Note : for replication both the ACS for windows and the appliance should be on the same version .

• Is it possible to obtain a report from Ciscoworks LMS3.1 to detail the SNMP configuration of all devices?

  I am about to update/standardize to secure the SNMP configuration for all devices in the network utilizing Ciscoworks.
  There is likely to be variations amongst the devices. Therefore, I would like to generate one report for all the devices, capturing the SNMP configurations, is this possible?
  I know how to complete the work afterwards but am struggling to produce a meaningful report that I can use to build my tasks from.
  I am trying to achieve this using a particular 'role based' account via ACS, so it is possible that I don't have the permissions with this account at present which maybe why I'm not able to do it.
  Thanks!

  Getting the SNMP trap community string is not trivial.  The reason for this is that anything which shows the configuration will have this field starred out. You can get to the value, but not in a report-like fashion.  You can, however, search the archived configs under RME > Config Mgmt > Archive Mgmt > Search Archive.  Assuming you know the SNMP trap receiver IP, you could search on:
  snmp-server host x.x.x.x old-string
  That would show you all devices that still had the old community string.
  If you need to force RME to get the new config data, you can simply schedule a Sync Archive job under RME > Config Mgmt > Archive Mgmt > Sync Archive.  Of course, if you made the changes outside of LMS, you will need to manually update DCR with the new community string.

• Syslog on ACS Appliance

  is it possible to configure syslog on ACS appliance running ver 3.3?

  Please take a look at extraxi csvsync. Its our http(s) client that can download logs from ACS v2 or later (software or appliance).
  You simply create an Administrator account on the ACS with access rights to the "reports & activity" page plus each log types you want to download. On a PC somewhere you can schedule csvsync to connect and download all new logs (csvsync keeps a history of what its previously downloaded) over http.
  By doing a once (perhaps twice) a day bulk download you reduce the inefficient "drip drip" of syslog traffic that can be a problem over WAN. Also, you're guarunteed to get the log data - remember syslog is a non-acknowledged "fire and forget" protocol... ACS can be firing but the other end might be forgetting!
  csvsync also supports filename postfixing - so you dont get name clashes when downloading from multiple ACS servers.
  Used on its own csvsync is a great way to bulk archive the valuable ACS log data, however used in conjunction with extraxi aaa-reports! and you have a full log collection and reporting application.
  For more on csvsync or aaa-reports! please visit http://www.extraxi.com - free 60 day eval versions available.

• Trunked connections to ACS appliance

  We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
  We went with the hardened Linux option for the underlying OS.
  Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
  I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit