Cisco AAA/Identity/Nac :: ACS 5.1 - Exclude Reporting For Specific Username?
May 16, 2011
I'd like to know if there is a way to exclude passed authentications for a specific username from reporting in the Authentications-TACACS and Authentications-RADIUS reports?
We have a few usernames that are used in scheduled jobs. We only need to know when they fail authentication, so we don't need to fill up the reports with every passed authentication from these accounts. Can this be done?
I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
aaa accounting exec default start-stop group tacacs+aaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 1 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+ logging origin-id iplogging facility sysloglogging source-interface GigabitEthernet1/1logging host 1.1.1.1 transport udp port 20514 logging monitor informational epm logging
On the ACS, when I open the dashboard --> ACS health -> I get Status not available.Global Instance under Logging Categories been configured for local logging?
I am configuring new ACS 1121 appliance with version 5.3 and wanted to know how to configure Remote Database settings in ACS5.3 Is that necessary to configure that option ?
Also one more thing I can see that ACS 5.3 generates lots of logs is there any solution to reduce such logs. It seems many unuseful logs which are system related are getting logged into device which might no be good for memory requirements of device.
Does ACS 5.3 has a feature to allow you to change or otherwise manipulate a user-name value within ACS as an authentication request comes into the system.
We want to use ACS to authenticate users to a particular device, but the device does not allow us to have username's in the format that we require, and the rest of our systems allow and require.
We want a way of manipulating the user ID of someone logging into the system, so that when the authentication request hits the ACS their username is massaged into the format we require, before being further processed against identity policies etc.
We're using AAA Sec4.1 and we need to bind the username with IP address for remote VPNs configured on Netscreen ISG2000 firewall. We want AAA should check two things against any user first IP address and second Username in order to authenticate the users.
we have a new ACS 5.2 server, and are having a problem with the case sensitivity of ACS. Basically, what is happening is that some users are capitalizing the first letter of their AD username, and it's causing ACS to deny their access due to the case of their username. For example:
Username yyy0h22 grants admin access to a device. However, Username Yyy0h22 denies access to a device.
Is there a way to make it so that no matter uppercase or lowercase, we are giving this person access? Without having to make a different rule for each permutation?
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
I need to change the username and password ACS uses to connect to AD. I do a "clear configuration" and reboot and am unable to join the ACS appliance back into my AD with a different username and password. I am able to rejoin the ACS machine to the domain using the original username and pass. how to clear all of the AD config off of the appliance and start fresh and use a new account to join AD?
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh aaa authentication ssh console SERVER_RADIUS LOCAL ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60
My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.
We have a distributed ACS 5.3 set up - a PR and DR replicating successfully.I've set up 4 remote syslog targets. 2 of them are at the same site as the PR ACS and 2 are at the same site as the DR ACS.The logging collector is set on the PR ACS.
The problem is that it "appears" that PR ACS is only sending PR ACS syslog info to one of the remote syslog targets out of the four.
The syslog target which does receive from the PR ACS is at the same site as the PR ACS.
"appears" means that some one has looked on the syslog targets to see what's been received / or not received.
I've been told that the syslog traffic for syslog targets is being received from the DR ACS. Which is strange as the PR ACS is the actual log collector (and is not at the same site as the DR ACS).
I've also got Alarm Syslog targets set up on the PR ACS , (2 are the same ip addresses used in the 4 remote syslog targets). IP addresses of the remote syslog targets have been double checked and can be pinged from each ACS (PR and DR).
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5.
With out this feature this set , i cannot ensure ID are revoked automatically ,when specific date come in to end user.
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
8.4(3) I need to outside PAT all incoming UDP (SIP/RTP) traffic from outside to an internal IP. The following command makes it work:
nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp
But it breaks DNS resolution from inside. If I add the above command and try to nslookup from inside to an outside DNS server 64.90.175.90, DNS times out. If I remove the above nat command, it works again. It seems like even though DNS UDP originates from inside which should create a statefull connection, ASA still messes with return DNS responses.I then tried to create an "exclusion" for that IP with the following:
ADSL ---> Cisco 877 with connected site-to-site VPN's ---> Cisco ASA 5505 with Remote VPN enabled
I want to connect my Android phone to the Cisco ASA 5505 with Remote VPN. When I forward port 500 and 4500 on the Cisco 877 to the Cisco ASA5505 I can connect with the phone.
But as expected, the site to site connections are lost because now they try to reach the ASA 5505 also.
I want to exclude the site to site external IP addresses from doing static NAT to the ASA 5505...how can I accomplish this ?
I have a number of devices such as Cisco Call Manager, or Cisco Wireless Controllers, etc that I want to remain in DCR but would like to exclude from the Config Archive process. Is there any way of excluding an individual device from this process?
I have an inventory added to Ciscoworks and am getting alerts on interfaces that I want to exclude but for the life of me I can't figure out how to exclude interfaces. Any tips on how to exclude interfaces from the fault engine in 4.1.
In earlier versions of LMS it was possible to choose i.e. the Routers category (top level) and enter a series of commands to be excluded from the comparison. In LMS 4.0.1 I experience, in several different installations, that this is not possible. It seems I can enter one exclude command beyond the defaults per category, the rest is not applied even though the feedback from the application is positive. Next time I access the Exclude Commands view, the commands I entered are gone. Is this a change of behaviour or a bug?
I use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
I have configured a SVI in my 4500 ( Sup 7-E 10GE,,,,,,and,,,,,cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin) switch and it is showing Down Down, because there were no active switch port in the vlan, I added one switch port to this vlan but this port also in the down state, so i added the SWITCH PORT AUTO STATE EXCLUDE command under this port, even after this also the SVI never came up, So i added one systen to the port so both the switch port and the SVI came up...So why SWITCH PORT AUTO STATE EXCLUDE command have no effect in this model of the switch..
Is there any way to get reports on voice utilisation on WAN links so that CAC settings can be proactively managed for each location on our CUCM cluster? Our service provider is advising that this is not possible which means that we rely on customer/staff complaints to recognise where CAC thresholds are being reached. Our preference is to be able to run traffic reports (or the Cisco equivalent) as could be done on our previous (traditional) telephony network and provide additional capacity if and when required BEFORE congestion is reached, thus minimising customer/staff impact.
Runing the report, "CleanAir > Worst Interferers" and I get this error
The specified criteria did not match any data for the report. Make sure that the following background tasks are running: 1. Interferers
I know there is data that should match up because I can see it on the individual controllers. I checked the background task Interferers and it appears to be working as well but just to make sure I forced the "Execute Now" command but the report still failed.