Cisco AAA/Identity/Nac :: ACS 5.2 System Alarm Database Purging
Apr 19, 2012
On Cisco ACS 5.2.0.26 Patch 10, I got this system alarm:Incremental backup is not configured. Configuring incremental backup is necessary to make the database purge successful. This will be useful to avoid disk space issues. View database Size is 2.92GB and size it occupies on the harddisk is 2.91GB
In "Monitoring Configuration > System Operations > Data Management > Removal and Backup", we got this information:
Database Purging:If database size exceeds 120 GB, a backup (if configured) and purge will be initiated. If database size exceeds 150 GB, a purge will be initiated.
Could View database size reach 120 GB ?I want to know how long will Cisco ACS works without problem and if I need to hurry to configure purge.
View 2 Replies
ADVERTISEMENT
May 7, 2013
How often does ACS 4.1 purge dynamic users from it's user group after inactivity?
We're trying to disable access to certain resources via a NAR, and finding that some users are not in the ACS dynamic user database, despite that, at one point in the past, they have used it.
Am I correct in assuming that a user that has never authenticated via an ACS-controlled resource would not be in the database?
View 6 Replies
View Related
Jul 19, 2012
We are using version 5.3 with patch 5. Incremental and full backup are configured but every day we receive an alarm notification.
View 7 Replies
View Related
May 30, 2013
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is referring to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which corresponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
What are the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Run time AAA & prrt-JNI.
I do not want to enable too much debug logs, so what is the specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
View 3 Replies
View Related
May 27, 2013
I would like to know if its possible setup database replication from Cisco ACS 4.2 server to ACS 5.4 server ?
View 3 Replies
View Related
Feb 18, 2013
i configured pix 525 for easy vpn. About 100 to 200 people will use this service. i dont have much knowledge about radius and tacacas servers. Is local data base enough for extended authentication or should i configure the server for it ?
View 2 Replies
View Related
Mar 27, 2011
Firstly the ACS 4.2.1 for Windows database replication does any one have and documentation on the processes required?Secondly I have a single system installed which is providing TACACS authentication for management access to a Cisco 5508 WLC, the controller prompts with a login box on connection to the web interface. When you put in the username and password pair the box comes back as if the authentication has failed. On the ACS I was unable to see any failed authentications so enabled passed authentication reporting and can see the user passing the process. The WLC is running software version 6.0.199.4. On the ACS I have added the extra two options within the TACACS interface configuration and have a ‘role1=all’ against both the user and the group the user is part of so I am confused as to why the user is still denied access.
View 3 Replies
View Related
Jun 16, 2010
Just installed ACS 5.0.0.21. Monitoring and reports database was working, but now is not. When trying to open, I get "Monitoring and reports database currently unavailable. Trying reconnect in 5 minutes." From CLI "sho application status acs" gives me the following:
ACS role: PRIMARY
Process 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'adclient' runningProcess 'view-database' runningProcess 'view-collector' runningProcess 'view-jobmanager' runningProcess 'view-alertmanager' running
Also, logs show nothing unusual.
View 6 Replies
View Related
May 26, 2013
Would like to check up either Microsoft SQL Express 2012 is able work with ACS 5.3 remote database?
View 5 Replies
View Related
Apr 23, 2013
We have recently upgraded acs 5.1 to 5.3 ( normal upgrade process), all secondary (ACS-B) was deregistered from primary (ACS-A , used as configuration server and log collector) and updated successfully. But while upgrading primary acs server was rebooted manually. But later primary server was re upgraded successfully to 5.3.
Just to ensure database is not lost on primary acs (ACS-A) , primary acs was registered to one of the secondary acs (ACS-B). Initially ACS-A registered with ACS-B, both ACS was showing proper role now. ACS-A ( secondary ) and ACS-B (primary). But on New primary ACS (ACS-B) is showing new secondary (ACS-A) offline and replication pending. Whereas on Secondary ACS-B its shows primary ACS-A online and updated. But ACS replication id is gradually incrementing. ACS system is in this system for last 2 day, But not sure if there is real replication happening at backend? How long it take place to replicate completely? and how to check / verify status of upgrade?
View 3 Replies
View Related
Jul 31, 2012
on the dashboard of the "Monitoring & Report Viewer" I see a lot of system alarms related to the database.The explanation of the alarm says to look at the Collector logs for the details.
View 3 Replies
View Related
Mar 22, 2011
i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal, AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.
View 7 Replies
View Related
Sep 27, 2012
I am working on project with Secure ACS 5.2. I am trying to determine the proper External Database to use. LDAP or direct to AD?
Additionally, the Domain that I am connecting to has Multiple sub domains. All of the users are currently in the Sub domains, but will be moving to root domain later. How should I configure the connection, do I need to connec to each sub domain or can I just connect to the root?
View 2 Replies
View Related
Jul 4, 2011
Using a CSV file, I can not add user in the internal database of the ACS I have a permanent "error File Format Validation Failed" However the file I want to import is a really CSV file.
View 2 Replies
View Related
Jan 17, 2012
What's type of ACS v4.2 Database password hash?
example:
-------------------------------------------------
Name : ###postureuser
Password : 0x0020 fe fc f0 11 24 dc dd bd 0f d9 78 56 b8 4a fc f4 40 d0 bd 1d 19 5b 56 7e 14 f0 4e 1a b0 83 66 24
Chap password : 0x000e 22 07 e4 28 c0 09 7f 1a b7 e6 2a 78 a1 52
-------------------------------------------------
View 1 Replies
View Related
Jan 16, 2012
Is it possible to create on ACS5 rule which will:
1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
View 5 Replies
View Related
Mar 9, 2012
Having CSACSE-1113-K9 with ACS 4.2.15.I want to configure windows user database under extrenal user database but i get an error (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured.I tried to stop the services and start agian but the same issue. The eappliance is secondary (backup) ACS. On the primary it is working fine.
View 1 Replies
View Related
Apr 26, 2011
I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto 4.2.0.124 ,step by step by upgrade process
1) acs 3.3.3.14---> 4.1.1.24
2) acs 4.1.1.24 ----> 4.2.0.124 .
now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable on 90 days evalution package of 4.2.0.124 of windows platform .
can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1)
View 8 Replies
View Related
May 15, 2012
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.a user test with priv 15 is craeted on ACS server, password test2 everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after ) e.g.: username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
View 3 Replies
View Related
Mar 26, 2012
I am configuring new ACS 1121 appliance with version 5.3 and wanted to know how to configure Remote Database settings in ACS5.3 Is that necessary to configure that option ?
Also one more thing I can see that ACS 5.3 generates lots of logs is there any solution to reduce such logs. It seems many unuseful logs which are system related are getting logged into device which might no be good for memory requirements of device.
View 6 Replies
View Related
Feb 28, 2012
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh
aaa authentication ssh console SERVER_RADIUS LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
[code]....
View 2 Replies
View Related
Apr 4, 2013
i have more than 8 month when i install CSM 4.1 i haven't any problem with using CSM 4.1 but now i want to know how can i archive logs files and before purging and how can i saving reports and events to an external disc
View 0 Replies
View Related
Nov 15, 2011
From one day to the next our UPM database (upm.db) has blown up from 4 Gb to 35 Gb.Data purging didn't reduce the size of the db.What happened ? And how can I compact the db again ?
View 4 Replies
View Related
Jan 12, 2012
We have ASA configured in multi context mode, with software 8.4(2) configured for AAA Configuration is admin context as follows:
aaa-server TAC protocol tacacs+
aaa-server TAC (management) host 10.162.2.201
key *****
aaa authentication enable console TAC LOCAL
aaa authentication http console TAC LOCAL
aaa authentication serial console TAC LOCAL
aaa authentication ssh console TAC LOCAL
Because of multiple context, after logging in we enter System context. Console port authentication is working fine except access to privileged mode while connecting over console port. After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.Is there any way to configure enable authentication over AAA in system context?
View 3 Replies
View Related
Jun 6, 2011
I am runing ACS 4.2 on Windows 2003 and for some reasons I need to rename the server name?
View 1 Replies
View Related
Aug 28, 2011
I would like add an alarm to LMS when a power supply of some device goes down. For instance, when the power supply fails LMS send an email or something like that.
View 2 Replies
View Related
Aug 25, 2011
We are having Cisco 7206VXR with NPEG2 and the IOS c7200p-spservicesk9-mz.124-15.T10.bin.,PA-MC-STM-1SMI is connected to 3rd Slot of the Chassis. The Links terminated on the SMI are working fine and we are not getting any Error Messages on Chassis regarding the this SMI.
But here we have Amber LED Glowing on ALARM LED of the SMI Card.
As per the below Link: URL
This means Loss of Signal/Frame.
##Table 1-5 PA-MC-STM-1 LEDs
#LED Label
#Color
#State
[Code]....
View 2 Replies
View Related
Jul 10, 2012
I am getting alarms on Solarwind indicating interface down on "GigabitEthernet 4/7 - Gi4/d1" and "GigabitEthernet 4/8 - Gi4/d2" from our core switch 6509.Remote login to the switch does not show the interfaces when I do the "sh run" command. Now I am at site trying to identify and diagnose this fault.Looking at the numbering on the switch, it indicates to me the card where these alarms come from is from the 'intrusion dectection module'
how I may login and identify this interfaces and rectify these alarms.
View 4 Replies
View Related
Jun 18, 2012
I have the follow error in a SW3750:
%SFF8472-5-THRESHOLD_VIOLATION: Te2/0/1: Voltage low alarm; Operating value: 0.00 V, Threshold value: 3.07 V.
I used the command:
#sho interfaces transceiver
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
[Code]....
View 1 Replies
View Related
Apr 12, 2011
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
View 10 Replies
View Related
Nov 5, 2012
We have a WAP 200 wireless G access point. It worked perfect before. About two weeks agao, we didn't change anything, it began to send empty alarm email every 10 minutes. We upgraded the software to newest version,restarted it several times. But till now, it still keep sending empaty alarm email.
View 1 Replies
View Related
Aug 27, 2011
Since a few days my WRT120N gives an audio alarm (beep) about every 10 secs. Cannot find how to overcome this or find the root cause. Installed new s/w version. H/W reset. Nothing works.
View 2 Replies
View Related
Dec 9, 2012
I have a Cisco 5548 Nexus switch with 10Gbase-SR interface transceiver. This interface is connected to Server chasis.
The show interface transceiver details output shows High ++ alarm for Current. Additionally, i am getting output errors on this interface.
View 1 Replies
View Related
