I've just installed ACS 5.1 and noticed that it seems to count managed devices differently than previous versions.
I have a 500 count license which should be fine as I have about 100 devices which will use ACS for TACACS. On ACS 3.x and 4.x, I would set up AAA clients by using a wild card for the subnets that host our routers/switches, say 192.168.1.0/24, 172.16.1.0/24 and 10.1.1.0/24. when I do this with ACS 5, I get a Managed Device Count Exceeded error messasge becasue of the potential of more than 500 AAA clients. It seems to be counting every IP address in the subnet as a managed device, even if there are only a handful actually in use. Is there a way around this short of having to manually enter (and maintain) the exact IP Address of every managed switch and rotuer which will use the ACS server for TACACS?
I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ACS1 Version information of installed applications--------------------------------------------- Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs ACS role: PRIMARY Process 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'view-database' runningProcess 'view-jobmanager' runningProcess 'view-alertmanager' runningProcess 'view-collector' runningProcess 'view-logprocessor' running
In previous LMS versions the DCR could hold more devices then the licenses of the other other applications permitted and using the "user defined fields" we have used it as a general device repository for some customers, pushing only the supported cisco devices to the various applications.In LMS 4 cisco has removed all allocation possebilities from the various applications and replaced it by an all or nothing type of allocation.Does this now mean that any entry in the DCR is automatically counted as a used device license?
I have a recent new install of Cisco Works and all is working fine. My issue is with a feature that doesn't seem to be present. When I create a report to ccheck on sys logs the report returns all sys log whether they are repetitive or not. Is there a way to have a same sys log error come back with a number of ocurences?
the feature doesn't show up when I create a custom report?
I bought an ESW 540 8-port switch, mainly for the POE capability over all 8 ports, so that we can power some SPA50X phones.The concepts of a "managed" switch are challenging for a newbie.Is there a way to make this device behave like a boring "unmanaged" switch ??We have plenty of bandwidth, and don't need to be troubled by QoS and virtual LAN's, or all the security stuff at this time.Making this device work like an unmanaged switch (aka plug-and-pray).
Getting the following alarm from my ISE:Cause:Base License Enforcement Details: Base concurrent users exceed license allowable count.Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 1.1.2.145 patch 3.
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
So I was having trouble loading a game on my computer and I was scrolling through forums looking for an answer and one answer that supposively worked for a lot of people was to unisntall and reinstall my network card.IT told me to go to devices -> right click network adapter -> uninstall -> then scan for hardwarer changes to reinstall When I clicked uninstall an error message popped up and said "Unable to uninstall device because device is required on startup" and then it apparently just uninstalled it anyway and it showed back up after I clicked "scan for hardware changes".Now ever since, everytime I try and connect to the internet my computer says "Limited or no connectivity" and I'm unable to access the internet on that computer, the computer I am on now can connect just fine, so it must have something to do with the network card that i supposively unisntalled.
Branch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting.works fine, but some Yahoo sites don't.Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.
Branch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting. Example: www.google.com works fine, but some Yahoo sites don't.
Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.url...
When trying to view the status in the Monitor tab and the Config tab after you log in to the ACE 4710 Device Manager A5 (1.2) management GUI tool, I could not retrieve the status data and the following message appeared.
"Faild to upload Adimn configuration: There is error in loading configuration: Error in loading RMO config from DB:The given index XXXXXXXXX.bak does not match table index definition"
Other features include all normal, so I can get information by using the CLI.In addition, this configuration is redundant in the Primary / Secondary, this event occurs only on the Primary.
Other:-XXXXXXXXX.bak is a backup that you created in the checkpoint, and it does not already exist.
-When I'm logged on to the GUI, the above message is displayed in the status bar always.
-It was not recovered by ACE restart it.
-When I try to create the same configuration in a different environment, it did not reproduce.
In our scenario, easy vpn users are being authenticated by acs 5.3 successfully. We have created seperate user group for these users. The issue is, these users are also able to access our routers using their username/password. I want to restrict this particular group so that its not able to access any device.
We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly Unmatched Commands - Deny Commands Added show exit
* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked Priviledge level is check with 15 as the assigned level Assign a Shell Command Authorization Set for any network device - selected ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.
2. The Device column is not showing the exact device name ; i telnet and config changed , it is showing the device group name only , how to get the exact device name i telnet on this message
I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+. We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network. We are using Active Directory for the backend user database and have assigned the users to different groups in AD. We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN. The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this. Is there a policy or config change that we will need to make for this?
I have 2 types of network, DC & Office. I have 3 types of users NOC, Office & DC. Office network devices are in Office NDG, DC network devices are in DC NDG. Becasue of such config, Office network users can only access Office devices & DC network users can only access DC network devices....Now i have NOC users, who wants access to both Office & DC network devices. How can i achieve this?
I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.
I have an information on the provider Sandvine with a guide to the case where only states:
TACACS + server On a TACACS + server, each user entry must allow the service "Sandvine". Within this service, the attribute-value pairs Following can exist: • An attribute named "Sandvine-Group" of type string.
I thought that in the past I had problems with my ASA5505 because I had to reboot a number of times, now that I have logging enabled I can see the following: -Deny traffic for protocol 17 src inside, licensed host limit of 10 exceeded.Does this mean that I can not have any more than 10 inside host going out of the outside interface at any time, if not what this means and how I can solve it.
my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
I am new to ACS 5.1.I need to configure the ACS to act as the 802.1x authentication Server, as well as, act as the Radius Server for the authentication and authorization process when I access the switch.
I had created Two rules (under the Access policy) to cater for the two scenario, it will always "stuck" at the 1st rule. For e.g. Rule-1 is meant for the 802.1x, Rule 2 is meant for the AAA process. When I tested with 802.1x, it worked perfectly. But when I tested to login to the switch, it always failed. Based on the log, Rule1 is not able to fulfill my requirement (of course it can't). I thought the rules check process will proceed with Rule-2, but apparently it did not.
i had a client request to block ICMP request on their 1841 WAN link. i've got ACL hits for ACE 170 but not for 171.
how to test or simulate for ICMP time-exceeded? is this TTL related and is there a DOS command or any way to produce ping packet with a less TTL count that would hit the ACL log? below is the config.
interface FastEthernet0/0 ip address 202.42.x.y 255.255.255.252 ip access-group IDS_Fastethernet0/0_in_0 in ip access-list extended IDS_Fastethernet0/0_in_0
On ACS 4.2.0.124 version installed on Appliance 1113.We are getting error code as "Internal error" and also "Enabling Tacacs+ is not allowed for this Access Server" while client authentication.
I configured ACS 5.3 and added AAA clients with TACACS+ server and shared secret key as cisco123. i did the below config on switch also. when i try to authenticate login with ACS it does not respond. Find the configuration and debug output.nd
In debug output it gives ruser and rem_addr is null. i did not understand why .
I am able to ping to ACS server and i used telnet 192.x.x.10 49 and it gives the proper output.
aaa new-model aaa authentication login default group tacacs+ local ! tacacs-server host 192.168.60.10 key cisco123 tacacs-server directed-request ip tacacs source-interface Vlan172
I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
