What encryption is used to encrypt the Cisco Secure ACS: SE backup file?

Similar Messages

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Unauthorized device logging in via Cisco Secure ACS 3.2

  We have the Cisco Secure ACS v 3.2. There is a devices that we recently discovered is not added into the network configuration on the ACS. This device running IOS 12.2(29) does have all of the correct tacacs settings that should allow it to authenticate via Tacacs.
  So basically, the ACS is allowing users to use this device to login, even though it's not in the Network Config.
  When we look at the Logged-in Users report, it show the host name as "Tacacs+ Default". We aren't sure what that is supposed to mean, and why it's allowing it.
  Thank You for your time,
  Andrew

  Andrew,
  Make sure that you not using any Wildcards inplace to IP address in network configuration. Eg using 192.168.*.*
  This will open tacacs request from whole network 192.168
  Also check the passed attempts and check the NAS IP address from the where the request is coming. Search for that IP in network configuration and see if that IP belong to that switch in question. L3 switch can have multiple ip address.
  If that IP belong to that swtich , then you need to take that out from network configuration.
  Regards,
  ~JG
  Do rate helpful posts

• Features of Cisco Secure ACS Appliance

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
  There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
              o     Can known users still be authorized?
              o     Are unknown users still blocked?
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  •     Which kinds of Attacks can the ACS (alone) prevent?
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  Thanks for all answers.
  Regards,
  taouri

  See inline answers:
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
  This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
              o     Can known users still be authorized?
  In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
              o     Are unknown users still blocked?
  Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
  •     Which kinds of Attacks can the ACS (alone) prevent?
  ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
  http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

• What do you use to monitoring the IDs and Alerts?

  I have installed a 4250 and built out some custom signatures got the email working from VMS 2.2 for some of high priority alerts. This all great but I was wondering what other people use to monitor the alerts and how they get notifications. I see what I have as being very limited in scope and there are a number of parts in VMS that just do not work.
  Do you use other console products? I have seen a couple of applications advertised that say they aggregate alerts from the pix, ids and mcaffee. Just wondering if or what others use. I only have one ids but I do have other items pix, mcaffee.

  I wish I could but I can't offer up anything that won't come at a cost.
  The original poster in this thread alluded to solutions capable of looking at disperate data in one console. That’s a Security Information Management System (SIMS), pure and simple. Cisco sells one, as do many other vendors. The unfortunate thing is that there is no inexpensive SIMS solution out there that offers multi-product monitoring. They all come at a significant price point.
  Since you both have a single sensor, I agree that VMS Basic is more than you need. The hiccups with it far outweigh the benefits. IEV might be "uncomfortable" to use but it works. In my experience (in a single-sensor monitoring environment), using IEV for monitoring and IDM for configuration management is the easiest, if not the most eloquent, solution.
  If you want fancy visualization or reporting, you're going to have to be willing to plunk down some cash to buy it. With a single IDS sensor, it's just not economically viable IMHO.
  I hope this helps,
  Alex Arndt

• What trunking protocols are supported by the Cisco AP1200 series

  Guys,
  What trunking protocols are supported by the Cisco AP1200 series?
  Advanved thanking for your reply

  Has to be a dot1q encapsulation.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• After installing 8.2 on my iPad all the apps crash during use. It appears that the iPad saves a version of what I was using because after the app crashes I double press the home button an there is a screen of an older version of the page I was using.

  After installing 8.2 on my iPad (2nd gen) all the apps crash during use. It appears that the iPad saves a version of what I was using because after the app crashes I double press the home button an there is a screen of an older version of the page I was using. I swipe it away and start over, only to have the same thing happen again. I have reinstalled all the apps, rebooted, synced and re-synced with iTunes. This is VERY irritating!

  That's one of the weird things.. it recognizes it maybe 10% of the time. And usually, only after I do the two-button reset. Problem is.. since it won't charge above 2%, anytime I try to do a restore or anything like that using iTunes, my device shuts off and I lose whatever progress I'd made.
  So, an update... after reading through a bunch of similar complaints (there are literally 1000's of them so there's NO WAY this isn't somehow ios7 related, thanks a lot APPLE ) I decided to try a restore in recovery mode. After 3 hours and several disconnections... I ended up having to just set it up as a new iPad, as the restore did nothing. Weirdly though... as I was doing the restore in recovery mode.. I noticed I'd gotten up to a 10% charge.. higher than it's been since September, so after setting it up as a new device, I turned it off and plugged it in using the wall charger. 2 hours later and I was up to 38%. Still not great, as my iPad, before ios7 could've fully charged twice in the amount of time it took for me to now get 28% more of a charge. And that's with a fully cleaned out device.. so that really ***** and I'm now more confused than ever.
  But I'm gonna leave it overnight charging and see what I come up with tomorrow. Sadly, when I paid $600 for it in February, I never expected to have to play "wait and see" with it...

• Can I use accounts in the Airport Utility to keep backup from multiple macs separate and separate?

  Can I use accounts in the Airport Utility to keep backup from multiple macs separate and separate?

  Backups from multiple Macs are always kept separate. Each Mac TM will create its own sparsebundle and will not interfere with others.
  Using the accounts in AU will simply make each sparsebundle only accessible to that user.. ie it is a purely a security measure.. that is so weak as to be useless .. anyone can bypass it by pressing the reset for 1sec.
  And what it will do is cut off everyone from their existing backups.. you will be warned when you set it up that what is about to happen may not be 100% goodness.. pay attention.. it is not.

• Link does not work for-End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4

  Link does not work for
  End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
  How do we get Cisco to fix?
  see attachment

  Give it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
  Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.

• Is there a way to see the size of my ICloud backup files, so I can determine which one I want to use?

  Is there a way to see the size of my ICloud backup files, so I can determine which one I want to use?

  Go to Settings>iCloud>Storage & Backup>Manage Storage.  Your backups are listed at the top, along with their sizes.  Note: this will only list your most current backup.  You may have your previous two backups available too but you cannot access any size information about them.

• Cisco Secure ACS 4.2 with Oracle

  hi there...
  Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
  The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
  My questions :
  1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
  2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
  Please advice.
  Thanks

  Microsoft SQL Server and Case-Sensitive Passwords
  If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
  For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
  For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
  Sample Routine for Generating a PAP Authentication SQL Procedure
  The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                           sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                           GO
                           CREATE PROCEDURE CSNTAuthUserPap
                           @username varchar(64), @pass varchar(255)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username
                           AND  csntpassword  = @pass )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                           GO
  Sample Routine for Generating an SQL CHAP Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                           and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                           GO
                           CREATE PROCEDURE CSNTExtractUserClearTextPw
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                           GO
  Sample Routine for Generating an EAP-TLS Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                           sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                           GO
                           CREATE PROCEDURE CSNTFindUser
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                           GO
  Reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

• Setting privileges in Cisco Secure ACS Version 5.1.0.44

  I am setting privileges in Cisco Secure ACS Version 5.1.0.44.
  In the command sets from the ACS server, I denied few commands as can be seen in the attached screenshot and selected 'Permit any command that is not in the table below'.
  I am unable to see some commands like "Show running-configuration" from the router I was testing. What changes should I do to see all the commands other than the denied commands. Your help will be rated. Thank you.

  Hi,
  The ACS is able to handle permit or deny commands.
  I created a configuration example that will help you to understand command shell.(see attach doc)
  Instead of using show running-config please use show config.
  also make sure that all the users are using privilege 15.
  Regards,

• Advice for Buying Cisco Secure ACS 3.3 for Windows

  Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
  Hope someone will help

  Hi,
  This is all what you require:
  Supported Operating System
  Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
  •Windows 2000 Server, with Service Pack 4 installed
  •Windows 2000 Advanced Server, with the following conditions:
  –with Service Pack 4 installed
  –without features specific to Windows 2000 Advanced Server enabled
  •Windows Server 2003, Enterprise Edition
  •Windows Server 2003, Standard Edition
  Note The following restrictions apply to support for Microsoft Windows operating systems:
  •We have not tested and cannot support the multi-processor feature of any supported operating system.
  •We cannot support Microsoft clustering service on any supported operating system.
  •Windows 2000 Datacenter Server is not a supported operating system.
  Please refer to the following link for more information:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
  Thanx & Regards

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu