we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope. We are migrating from ACS v4.2 to v5.2. I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal. The user role does not have privileges for show start-config or show running-config. Am I missing something or are these the only 2 roles available at the CLI? Can another rolle be added?
After upgrade to ACS 5.2 appliance , we are trying to configure AAA between Ciscoworks and ACS. Authentication is working but authorization fails , logged user cannot access to admin parameters. I've configured attributes manually but it doesn't work.Does ACS 5.2 support integration with CiscoWorks?
I have ACS 5.3 running TACACS+ and Nexus 7K with 2 x non-default VDC's, VDC-OTV and VDC-CR.I want my TACACS account to have role "vdc- admin" on VDC-CR, and "vdc-operator" on VDC-OTV.I tried putting the VDC's into different Network Device Groups, with VDC-CR being in an Authorization Rule that associated the Device Group with the "vdc-admin" Shell Profile. But I'm getting the same roles on both VDC's--both get whatever the role in the Shell Profile.
It's possible I'm not organizing the Devices and Network Device Groups correctly. It seems to me when I add a new Device, it knows about all the Device Groups, and the IP range and exclude syntax seems to be a pain. I have existing Device Groups, one with a 10.10.*.* IP range, and I'm trying to isolate these two VDC's out of that IP range into their own individual Device Groups.
I have a client that is running ACS 5.3 as a VM in ESX 4.1. The client wants their VMWare admins to have the ability to shut down the ACS server during maintenance etc... I know I could create a CLI user with admin priviliges, however, assigning full admin priviliges is beyond the scope of what the user requires. They simply want a user account with the added privilige of performing a halt from the CLI. In the CLI Reference Guide for ACS.
So is it possible to create an account with user priviliges, then modify its permissions to allow for a halt?
I have a desktop without a wireless card and i want my network to be wireless so i bought a d-link wireless card for the desktop, the system then discover the wireless network but could not connect it kept on trying to authenticate, it did not even ask me for the web security key, what do I do
We currently have about 8 WLC 4400 series controllers deployed around the company, one of these controllers is acting as an Achor controller for GUEST wifi access for visitors to the company, as a result of this we have many users with "LobbyAdmin" access to setup users.
We have recently introduced a Cisco WCS to manage these devices but its not fully implemented/active to see all WLC's.I need to be able to report on the LobbyAdmin users to see who is setting up accounts and for who etc. Currently access to the WLC/WCS is done via Local admin accounts. All accounts for the LobbyAdmin people are setup on our anchor controller.
I have added the anchor controller for this to the WCS system but when looking in Administration/AAA/Groups the LobbyAdmin groups shows No Members.Is there a way that i can import the Lobby Admin names from the anchor WLC to the WCS so i can do reports/audit checks on these users?
I have manually configured the E2000 and set the admin password. When I was trying to log back in, I could not. I reset and reconfigured and set the password again. I still could not log in using "admin" and the password I set up. I thought I was losing my mind. Just on a hunch, I used the SSID name instead of "admin", then entered the password that worked. I am able to login, but I need the username to be admin, not the SSID. Has anyine else had this issue? Any way to change the administrator name back to admin??
ACE 4710 TACACS issues ,How to setup user with Admin context access permission. I have enable the TACACS and it can directly put me in Context mode not in Admin Context mode .
We created the admin account during the setup and were able to log into the Web GUI, but we can't use this admin to access the CLI by using ssh, always said permission denied.
I want to set it up so that when you log into any of the ACS 5.2 servers you have to use your AD credentials to log in and define what access you have. Is this possible? If so, how can this be set up?
I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.
Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?
I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)
my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
this is the first time I am about to configure ACS 5.3 to authorize user group from doing some commands in the "configure mode" while permitting them some other commands. As example, I want to deny them from doing "reload" but give them access to configure "time-range", what happen is, they are denied access to "reload" on the exec mode, but once they went into "configure" mode, they would be able to "do reload"I mean to say, is it possible to manage the subsequent commands to "configure terminal" ?
Is there a way to put a login banner on the ACS admin web page? Either display it directly on the web page or do a redirect to a banner page? Can I edit the admin pages directly or does ACS provide a mechanism to add this type of feature?
we managed to integrate our newly setup ACS 5.2 to our regional domain. now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full and read access respectively.
i already have the default identity policy and authorization policy with with command sets fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that each user falls under one of these groups will have a correct read/write access.
I have to reset/recover admin-CLI password. I had posed the question in [URL]Now as per the CLI-admin password recovery procedure at [URL] I have inserted DVD in the hardware appliance, but I don't see any prompt with these options:
"Welcome to Cisco Identity Services Engine - ISE 3355 # To boot from hard disk press <Enter> # Available boot options: "
I just see login prompt ( and of course, I cannot login because I don't know the password). I am using serial console connection to the appliance.
we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only), so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how. Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
I have a Domain Controller on windows 2003 advanced server. and I have roles and some configuration such as rights, user accounts, DHCP configuration, DNS server and etc on it.Some times windows needs to be reinstalled but after reinstalling,configuration of roles would be lost. I don't know how can I backup these settings? Is there any solution about this problem.I know a simple way is creating an image of windows installation drive by an application such as Norton Ghost but I'm talking about windows solution.
