Upgrade ACS V3.2 - V4.0 Tacacs/Radius Key Query

Similar Messages

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Leap, tacacs+/radius fixed ip (pool)

  dear,
  Is there a way while using leap & mobile ip technology to make it happen when a users becomes associated to an ap (proxy mobile) he always obtains an ip adres from a predefined pool or just one personal ip-adress which we define on our tacacs+/radius server without it having configured statically on the user's computer.
  Purpose is for some external consultants browsing around our wireless network, to home them in a segment behind our firewall using mobile ip, but giving the person an ip-adres based on his credentials (tacacs+/radius server) so based on that we can buld a rulebase on our firewall and allow only restricted access to intra or internet. So what we want is actually a user-to-ip mapping without need to configure it on computer or authenticate multiple times. We have something similar with dial-in routers, but I don't find any documentation if we could do something similar with our wireless infrastructure.
  Any hints or info would be helpfull.
  H.

  No, this can't work - you can't use RADIUS to tell an AP which IP address to give to which client, because the AP is not directly involved in assigning layer 3 addresses to clients. It is (basically) only a layer 2 device.

• Programming tacacs &radius server-keys ?

  I'm having an issue programming the tacacs & radius server-keys. I'm not sure if I missed a step or my use of the syntax. I appreciate any help you can provide. It's a first time for me and I'm attempting to duplicate an existing switch which states server-key 7 <removed>. 
  Thanks
  Roy

  Roy
  I can appreciate that the first time doing this can seem daunting. But it really is not so difficult when you get right down to it.
  The first thing to understand is that in the existing config the key has already been encrypted for storage on the switch. So what you see in the running config is crypto text and not really the exact key.
  You have two options in how to configure your new switch:
  - you could cut and paste the server key from the existing config to the new switch. So you would be inputting the type 7 encrypted key directly to the new switch.
  - you could manually configure the key on the new switch. In this case you would configure
  server-key <key_value>
  where <key_value> is the clear text key to use. If you do this, and assuming that you have configured service password-encryption, then the switch will take the clear text key and will encrypt it for storage on the new switch.
  HTH
  Rick

• Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

  Good day,
  Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
  I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
  I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
  Any other possible ideas anyone can suggest? 
  Cliffs:
  -tacacs-server key is a  simple key and is the same for every switch and within ACS
  -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
  -Running config on switch that is not working is pretty much the same as the other two working switches
  Any advice is greatly appreciated.
  Thanks,
  Y

  Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

• How to upgrade windows 8.1 to Pro using VLSC key?

  hi,
  How to upgrade windows 8.1 to Pro using VLSC key?
  Will this work like a pro pack?
  Thanks

  Hi MGerio,
  Are you going to upgrade several Windows 8.1 machines to Pro with VLSC key ?
  It is recommended to ask for help from our
  Volume Licensing Service Center. They will offer much more help for you .
  Welcome to the Volume Licensing Service Center
  https://www.microsoft.com/Licensing/servicecenter/default.aspx
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ACS 5.3, ASA using TACACS+ forces to PAP?

  As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+.  It only works if I have PAP enabled on the ACS.  Obviously this concerns me.  I've found the following reference in the configuration guides:
  TACACS+ Server Support
  The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
  I can't figure out how to make the ASA use MS-CHAPv1 though.  Seems like it should be pretty simple.
  Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2.  Seems that option isn't available under TACACS+.
  Any suggestions?

  As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
  Sent from Cisco Technical Support iPhone App

• ASA 5585-X TACACS+/RADIUS Server

  All,
  Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
  I've used Cisco Secure ACS for TACACS and RADIUS AAA..
  My client has ordered a bunch of them.   They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
  Thanks for any information.
  Stephanie

  Adding to Jan's correct answer.
  The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
  Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

• ACS 5.2 WCS 7 TACACS+ CHAP probleme

  Hi all,
  I want to configure managment-access authentication to the WCS via tacacs+. The AAA Server is Cisco ACS 5.2.
  I made it and it works, but only with PAP Authentication Type. Chap doesn't work 4 me.
  The Access Service is configured with allowed protocols PAP and CHAP.
  The ACS Monitor just display an error with these steps:
  Received TACACS+ Authentication START  Request
  Evaluating Service Selection Policy
  Matched rule
  Selected Access Service - WCS und Controler  Mgmt
  TACACS+ authentication request ended with  error
  And by the way I added two ACS Servers and WCS just asks one, is it normal?
  Thx

  I've tried the same config with RADIUS CHAP and it works!
  Isn't there anybody who use the combi of TACACS+ and CHAP?

• After upgrading ACS 3.3.1 to 4.2 on windows the local database is not working

  Hi,
  I have upgaded the ACS 3.3.1 for windows server to 4.2. Everything went fine but the local database is not working.
  The CD is an upgrade kit from 3.x to 4.2 on windows. I tried to install directly the 4.2 I was able to install but integration with AD/LDAp is not working. Anysay its an upgrade kit so I cant expect it shoud work when install drectly the 4.2 but by upgrading from 3.3 to 4.2 everything should work fine.
  I followed the upgradation path as recomended.
  Also we have a requirment that once it is upgraded to 4.2 we need to shift the whole thing from the physical server to a virtual machine on VMware ESX server 3.5.
  Can anybody pls guide me if anything else to do after the upgradation.
  Thanks & Regards
  Sachi

  Hi Javier,
  First of all I was facing a problem of restoring the old database of 3.3 to 4.2. Somehow I overcame that issue by following the below steps. Now local authentication is working fine but AD/other External database authentication is not working. As you told the setting for the unknown users are configured to fetch the credentials from the external database if it is not in the local database.
  Do we need to do anything in the AD itself?
  Regards
  Sachi
  Steps for ACS upgrade to 4.2 version
  Below are the requested steps mentioned for the up gradation from ACS 3.3.2 to ACS 4.2.
          1)     Take a configuration backup from existing ACS. ACS--->System
  configuration----> ACS Backup
  2)    now if you have  ACS 3.3.2 on server. take backup of the ACS
  3)   Insert the cd or if you have the set up on the system then  Run the setup of ACS 3.3.4. During the process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 3.3.4 upgrade.
  4)     Once you are at 3.3.4, take a backup and keep it handy.
  5)     Run the setup of 4.1.1. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.1 upgrade.
  6)Once you are at 4.1.1.24 take a backup and keep it handy.
  7)     Run the setup of 4.2. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.2 upgrade.
  8)     Once you are at 4.2 take a backup and keep it handy. Now run the
  patch 12 and take a backup again.
  9)     Now fresh install 4.2 on your new production server and install patch
  12. Restore the 4.2 patch 12 backup and you should be all set.

• ACS 5.2 Error message: 5405 RADIUS Request dropped

  The error message "5405  RADIUS Request dropped", what does it meen ?.
  We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
  ACS 5.2 is running 5.2.0.26 Build 3075.
  Has anyone have hade the same problem ?

  It's fixed in 5.3...
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html
  ...or stop/start ACS as a workaround till it's happen again.
  Kind regards,
  Ron

• Part number to upgrade ACS 1113 from 4.2 to 5.1

  I would like to upgrade my ACS server SE 1113 from 4.2 to 5.x but I cannot seem to find a part number.  Does anyone know what the license part number may be?
  Thanks,
  Gary

  Gary,
  See here:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-569135.html
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Upgrade ACS from 4.1.1.23 to version 4.2.1.15

  Hi.
  I have installed ACS  Windows 2003 R2 Services Pack 2.
  I am upgrading of version 4.1.1.23 to version 4.2.1.15. Recommended by Cisco.
  Before of update everthing works fine.
  After of upgrade, this does not authenticate user, sends the next message "External user not found", "Authentication session invalidated" and "internal error".
  The mapping is ready. annex image.
  Someone can tell me what happens?
  Thanks.

  You will want to set the service level detail to full (System Configuration -> Service Control), reproduce the problem, then get a package.cab file and look in the auth.log file for the dialog between ACS and the external user database you have configured on ACS.

• Upgrade ACS from 3.2 to 3.3

  Hi all,
  I need upgrading an ACS from 3.2 version to 3.3. What I have to buy to do this? I found only a code for the upgrading from 2.x to 3.x (very expensive), could I download the patches to upgrade the release 3.2 to 3.3?
  Marco

  Contact a Cisco reseller, and see what deals there are. I don't know of hand if there is a different list price for upgrade from 3.2 to 3.3 to actually just buying 3.3
  After that you overinstall your 3.2 installation and all the configuration is upgraded and you have a 3.3 installation

• Cannot upgrade ACS 5.1.0.44 to 5.1.0.44.X

  I have a licensed ACS version 5.1.0.44 (VM image) installed and working. I am trying to upgrade to the latest version but I keep getting the following error:
  ciscoacs/admin# patch install 5-1-0-44-6.tar.gpg upgrade
  Do you want to save the current configuration ? (yes/no) [yes] ? yes
  Generating configuration...
  Saved the running configuration to startup successfully
  % Manifest file not found in the bundle
  I tried using early patches to no avail. On a quick google search, I can only find reference to upgrading an ACS Express 5.0 to 5.1 where the Manifest error appears.
  Here is my show version:
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.146
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ciscoacs
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.1.0.44
  Internal Build ID : B.2347.EVAL
  Strange how it shows eval, even though I loaded the VM image from an offical disk and I have applied my License.
  ciscoacs/admin# show inventory
  NAME: "Cisco-VM chassis", DESCR: "Cisco-VM chassis"
  PID: Cisco-VM-SPID     , VID: V01 , SN: Cisco-VM-SN
  Total RAM Memory: 516164 kB
  CPU Core Count: 1
  CPU 0: Model Info: Intel(R) Core(TM) i5-2500S CPU @ 2.70GHz
  Hard Disk Count(*): 1
  Disk 0: Device Name: /dev/sda
  Disk 0: Capacity: 107.30 GB
  Disk 0: Geometry: 255 heads 63 sectors/track 13054 cylinders
  NIC Count: 1
  NIC 0: Device Name: eth0
  NIC 0: HW Address: 00:0C:29:74:CC:49
  NIC 0: Driver Descr: eth0: registered as PCnet/PCI II 79C970A
  (*) Hard Disk Count may be Logical.

  Sigh. Using FTP instead of TFTP solves the issue. Weird, because I am using a Linux based TFTP server that has a patch to get passed the 64Meg limitation. Meaning, It can serve up files larger than 64 Megs with no issue at all to my other Cisco devices.
  Oh well....
  ciscoacs/admin# acs patch install 5-1-0-44-6.tar.gpg repository upgradeftp
  Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
  Stopping ACS.
  Stopping Management and View...........................................
  Stopping Runtime...............................
  Stopping Database...
  Cleanup.....
  Stopping log forwarding .....
  Installing patch version '5.1.0.44.6'
  Installing ADE-OS 1.2 patch.  Please wait...
  About to install files
  Removing old war
  Removing old war
  Removing old war
  Removing old war
  /opt/CSCOacs/patches/5-1-0-44-6
  Patch '5-1-0-44-6' version '5.1.0.44.6' successfully installed
  Starting ACS ....