I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
We have downgraded cisco acs appliance 1120 from ACS 5.0 to ACS 4.2.1.15 , when we perform ICMP ping request to acs appliance its not responding , But i can do ping test from acs appliance on console mode not from GUI mode .
Is there any option to enable ICMP Ping response on cisco acs 1120 . else any patch to be upgraded to perform this action , my requirement is enable ICMP ping on acs appliance for troubleshooting . instead always check with telnet x.x.x.x 2002 for service responding
I encountered some strange issues with one of our appliances in the field. Reinstalled and encountered the strange issues. No errors.. did some memory test and the seagate harddisk test and encountered SMART errors. The device didn't log those errors anywhere.. First reason to check the second harddisk. The appliance is shipped with two so the first thing I was thinking of was RAID. I saw that raid wasn't configured. Try to boot the second harddisk and saw that nothing was on that disk.. so what is the mean reason you got two of those? Got the new machine and try some options to configure RAID.You got two options.. didn't see this before, most of the time you got only one option. Raid driver on or no RAID configuration at all. First tried the intel storage matrix, configured both of the disks for mirror and install the ACS 5.2. The machine boots after installs and rejects the DVD. Result: The installation doesn't boot! Checked the partition with gparted but the partition is active (or flagged as boot) Second option was LSI, got the raid configured for mirror and the installation was also completed. Result: working installation. Tried to test if the installation is still working after removing one of the disks. Appliance is complaining the the RAID is missing one disk (so this works). After that the machine tries to boot, result: no working ACS.
I have configured the appliance everything is working fine.We have a remote syslog server and I have configured the remote syslog server details in the "Remote Log Targets" and and Logging Categories.But I cannot see any logs on my syslog server
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
i am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.these devices have open communication on all ports - no firewalls or ACL'sthey have successful ping communication The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS This works and the WLC gets RADIUS response from my makeshift serverUsing a simple windows EAP client to query the ACS using RADIUS protocol this works and the ACS processes the RADIUS request and sends a responsePlaced a wireshark client on the network to inspect timeout. Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet responses from the ACS At the moment I have the WLC accepting the association from the wireless client and sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, the WLC receives no response and generates a timeout message and disassociates from the client. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC. In summary the WLC and the ACS successfully function independently but they do not communicate via radius.
When attempting to register an ACS instance to a primary (via System Administration -> Operations -> Local Operations -> Deployment Operations), I receive the following error as a popup in my browser:
"This System Failure occurred: /opt/CSCOacs/db/acs.crt (No such file or directory). Your changes have not been saved.Click OK to return to the list page."
I had 2 ACS 1120 appliances clustered, 1 suffered a hardware failure about a year ago so I replaced it with a VM. That one is now the primary. I'm now wanting to replace the secondary instance (the remaining 1120 appliance) with a VM as well. I removed the current appliance from the network, installed the VM using the same IP address, and attempted to register. It failed as per the above error. After trying this a number of times, I then decided to return the 1120 appliance to secondary status and attempted to register it with the same results as above.
I have an acs 5.0 running on Cisco 1120 appliance. It has worked for 2 years. Suddenly, I discovered that user can no longer login with their credentials. On close examination, when I console, the booting does not complete. Screen shot attached.
i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC= · Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
I'm trying to join a band new CSACS-1120 to our active directory without success. The process in it self should be pretty straigh forward, but so far no luck.
I've configured the relevant info under "Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory Domain Name: xxx.com Username/Password : domain administrator account
When I test connection I get a info dialog "This machine is currently connected to domain xxx.com".After which I try to save changes which gives a reply ""This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page."
I've noticed that in the system log "show logging system tail" that I get a exception as soon as I enter the AD configuration page and subsequently every time I perform a action on that section.
Why the AD join keeps on failing and what the debug exception I'm getting means?
i am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Need URL for patch 4.2.1.15.3 with comptaible for cisco acs appliance 1120 . Though its for appliance patch should be along with webserver . I have downloaded patch of SE its not comptaible to this hardware .
I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto 4.2.0.124 ,step by step by upgrade process
now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable on 90 days evalution package of 4.2.0.124 of windows platform .
can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1)
I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5.
With out this feature this set , i cannot ensure ID are revoked automatically ,when specific date come in to end user.
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
I am trying to create a backup of my 2620 router so I can use for GNS3.
I have only configured the IP address on my FastEthernet port. Having many issues with no connection to my pc, finally I found that you must enable the interface 'no shutdown'. Now I have a valid connection
I have made no other configurations on this router, everything else is default.
I can successfully PING from both ends
**PROBLEM: My problem is that when trying to 'copy flash' to my TFTP server, the response is**
We are using almost 10 Nexus 5k in our DC currently we are getting same error logs in all Nexus 5k." ntpd[4746]: ntp:time reset +0.279670 s " ,Is it major error or just for reset time?
I have Cisco 2800 series router. When I am trying to write memory getting error message " Error opening flash:config-backup-1 (No more root directory entries available)" When there is simultaneous access to a router's NVRAM, we might encounter these errors. In order to clear the line the other user(s) is (are) connected on and free the NVRAM, issue the clear line command. But still getting the same error message.
We are getting some error logs on Nexus VDC,as follows:2012 Nov 23 08:49:11 N7K_B-Network_Center_B %$ VDC-3 %$ last message repeated 6 times 2012 Nov 23 08:50:21 N7K_B-Network_Center_B %$ VDC-3 %$ last message repeated 7 times 2012 Nov 23 08:49:11 N7K_B-Network_Center_B %$ VDC-3 %$ last message repeated 6 times2012 Nov 23 08:50:21 N7K_B-Network_Center_B %$ VDC-3 %$ last message repeated 7 times.
We use C2950G switches with IOS 12.1(22)EA12 . Switches are set up to send logs to a server (informationnal level). On this server, we receive many of logs from those switches, but none about interfaces errors (even if interfaces statistics show interfaces errors). On C3548 switches it's work fine.How should I be sure the set up of switches is correct ? Why do I never receive messages as %LINK-4-ERROR:[char] is experiencing errors ?
Aug 12 15:30:57.127 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:02.175 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:08.219 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:10.239 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected
there is no error messages related to PSU in "show env all " log .
here is show version - ------------------ show version ------------------
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2) Technical Support: [URL] Copyright (c) 1986-2009 by cisco Systems, Inc. [Code] ....
I have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
We are getting some error logs on Nexus switch 7K.
Loggs: ---------- 2012 Oct 30 22:36:07 SWITCH %CMPPROXY-STANDBY-2-LOG_CMP_UP: Connectivity Management processor(on module 6) is now UP 2012 Oct 30 22:36:40 SWITCH %SYSMGR-2-GSYNC_SNAPSHOT_SRVFAILED: Service "ipqosmgr" on active supervisor failed to sto re its snapshot (error-id 0x40480005). 2012 Oct 30 22:36:40 SWITCH %SYSMGR-2-STANDBY_BOOT_FAILED: Standby supervisor failed to boot up. 2012 Oct 30 22:36:42 SWITCH %PLATFORM-2-MOD_REMOVE: Module 6 removed (Serial number JAF1550ATBR) 2012 Oct 30 22:42:08 SWITCH %BOOTVAR-5-NEIGHBOR_UPDATE_AUTOCOPY: auto-copy supported by neighbor supervisor, starting
We recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?
