Cisco AAA/Identity/Nac :: ACS 1120 And RAID Configuration?
Jul 4, 2011
I encountered some strange issues with one of our appliances in the field. Reinstalled and encountered the strange issues. No errors.. did some memory test and the seagate harddisk test and encountered SMART errors. The device didn't log those errors anywhere.. First reason to check the second harddisk. The appliance is shipped with two so the first thing I was thinking of was RAID. I saw that raid wasn't configured. Try to boot the second harddisk and saw that nothing was on that disk.. so what is the mean reason you got two of those? Got the new machine and try some options to configure RAID.You got two options.. didn't see this before, most of the time you got only one option. Raid driver on or no RAID configuration at all. First tried the intel storage matrix, configured both of the disks for mirror and install the ACS 5.2. The machine boots after installs and rejects the DVD. Result: The installation doesn't boot! Checked the partition with gparted but the partition is active (or flagged as boot) Second option was LSI, got the raid configured for mirror and the installation was also completed. Result: working installation. Tried to test if the installation is still working after removing one of the disks. Appliance is complaining the the RAID is missing one disk (so this works). After that the machine tries to boot, result: no working ACS.
Is it possible to have RAID configuration on your virtual hard disk of your virtual machine?As an example case is I have 1 PowerEdge R910 which I have installed it with Windows Server 2008 R2 Enterprise Edition and i used it's Hyper-V as the hypervisor. the HDD's of the PowerEdge are not RAIDed. I want to make 4 virtual machine's which are installed with Windows Server 2008 R2 as a virtual OS on Hyper-V and i want only 1 of them that has it's virtual HDD is RAIDed.
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
We have downgraded cisco acs appliance 1120 from ACS 5.0 to ACS 4.2.1.15 , when we perform ICMP ping request to acs appliance its not responding , But i can do ping test from acs appliance on console mode not from GUI mode .
Is there any option to enable ICMP Ping response on cisco acs 1120 . else any patch to be upgraded to perform this action , my requirement is enable ICMP ping on acs appliance for troubleshooting . instead always check with telnet x.x.x.x 2002 for service responding
I have configured the appliance everything is working fine.We have a remote syslog server and I have configured the remote syslog server details in the "Remote Log Targets" and and Logging Categories.But I cannot see any logs on my syslog server
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
i am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.these devices have open communication on all ports - no firewalls or ACL'sthey have successful ping communication The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS This works and the WLC gets RADIUS response from my makeshift serverUsing a simple windows EAP client to query the ACS using RADIUS protocol this works and the ACS processes the RADIUS request and sends a responsePlaced a wireshark client on the network to inspect timeout. Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet responses from the ACS At the moment I have the WLC accepting the association from the wireless client and sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, the WLC receives no response and generates a timeout message and disassociates from the client. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC. In summary the WLC and the ACS successfully function independently but they do not communicate via radius.
I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
When attempting to register an ACS instance to a primary (via System Administration -> Operations -> Local Operations -> Deployment Operations), I receive the following error as a popup in my browser:
"This System Failure occurred: /opt/CSCOacs/db/acs.crt (No such file or directory). Your changes have not been saved.Click OK to return to the list page."
I had 2 ACS 1120 appliances clustered, 1 suffered a hardware failure about a year ago so I replaced it with a VM. That one is now the primary. I'm now wanting to replace the secondary instance (the remaining 1120 appliance) with a VM as well. I removed the current appliance from the network, installed the VM using the same IP address, and attempted to register. It failed as per the above error. After trying this a number of times, I then decided to return the 1120 appliance to secondary status and attempted to register it with the same results as above.
I have an acs 5.0 running on Cisco 1120 appliance. It has worked for 2 years. Suddenly, I discovered that user can no longer login with their credentials. On close examination, when I console, the booting does not complete. Screen shot attached.
i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC= · Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
I'm trying to join a band new CSACS-1120 to our active directory without success. The process in it self should be pretty straigh forward, but so far no luck.
I've configured the relevant info under "Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory Domain Name: xxx.com Username/Password : domain administrator account
When I test connection I get a info dialog "This machine is currently connected to domain xxx.com".After which I try to save changes which gives a reply ""This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page."
I've noticed that in the system log "show logging system tail" that I get a exception as soon as I enter the AD configuration page and subsequently every time I perform a action on that section.
Why the AD join keeps on failing and what the debug exception I'm getting means?
i am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Need URL for patch 4.2.1.15.3 with comptaible for cisco acs appliance 1120 . Though its for appliance patch should be along with webserver . I have downloaded patch of SE its not comptaible to this hardware .
I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto 4.2.0.124 ,step by step by upgrade process
now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable on 90 days evalution package of 4.2.0.124 of windows platform .
can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1)
I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5.
With out this feature this set , i cannot ensure ID are revoked automatically ,when specific date come in to end user.
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
We just recently purchased a 3945 ISR G2 router and have a SRE-910 module (with two hard drives) configured in a Raid 1. We are running a stand-alone version of ESXi on the service module and I'm trying to figure out how to monitor the status of the Raid on the drives (along with other health issues). SNMP has revealed nothing so far and even opening a support case for which MIB's to use has proved fruitless. All the documents I find on monitoring the modules say to use LMS which is now Cisco Prime. I've downloaded the trial copy, put in the SNMP settings and scanned the router. I get device results and it shows that I have the SRE-910 module installed, but I get no other configuration / device informaiton from the module itself.
I tried to create a new Monitoring template using the NAM health as the base template (which I'm assuming this is the correct template). Unfortunately, when I actually try to deploy the template against the discovered router, I get an 'Unexpected end of list' error which makes me assume I'm still doing something wrong.
I need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
- Packet Data Flow ID (ID 1, integer16) - Direction (ID 4, integer8) - Transport Type (ID 6, integer8) - UplinkQoSID (ID 7, integer8) - DownlinkQoSID (ID 8, integer8)
[code]....
I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x
Cisco ACS 5.x appliance?How to back up Config?What is best way, via TFTP? COPY Startup-config tftp:?COPY Running-config tftp:?I currently use Solarwinds CatTolls to back my Cisco Switches, can I use this for Cisco ACS also?
I am trying to do a query, according to chapter 4 in the ACS 5.3 Secure Access Control System 5.3
doing a PUT request have a header of Content-Type: application/xml and my payload is: [code] All I want to do is get a list of users who belong to that group?
I want send ACS logs to a syslog server .I have configured syslog under System Administration --> Configuration -->Remote Log Targets .
Name : Syslog Server IP : x.x.x.x Port : 514 Facility Code:Local 6 Maximum length :1024
I have open the respective ports also in firewall .But Syslog server is not getting any logs from ACS .I have another log target ,which is ACS secondary server to collect the log from primary and secondary with below config.whch is working fine
Name :Logcollector IP : x.x.x.x Port : 20514 Facility Code:Local 6 Maximum length :1024
disable telnet for ACS 1120 Appliance version 5.0.0.21 .is there anway to do it , not able to login via telnet and ssh it says wrong credentials but webgui is working fine with same user and password.
I'm having trouble getting Tacacs+ to work correctly with ACS5.1 and a simple catalyst 3750 switch.I can authenticate with AAA, however i cannot get a single command to work once i'm in; "Command authorization failed" even on "enable".
Any useful resource that will walk me through the process?
configure AAA (Radius server, access list) There are two devices An access point and cisco 881w. It is necessary to set up authentication through a radius server. You can configure detailed how to do this?
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
