I am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
I have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
I am working through the migration from ACS 4.1.4 on Windows Server 2003 to ACS 5.2 on the appliance. I have created the 4.1.4 migration server, installed the software and imported the data from our production ACS 4.1.4 box. I downloaded the migration utility from the 5.2 ACS server and am attempting to run on the 4.1.4 migration server. The question that fails is:
Enter ACS 4.x Server ID:
I do not know what this means and do not see anything on the 4.1.4 server that identifies the Server ID. I try localhost and it does not work and the 4.1.4 server is not registered in DNS or I would try that (and . are not valid characters in the ID so the IP does not work).
How have other people handled this question? Is there something that can identify the local server ID?
provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies View RelatedI successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
View 3 Replies View RelatedI just came across a requirement, of implementing different password policies for different group users.
I can see in >>>>SYSTEM CONFIGURATION>>>>User>>AUTHENTICATION SETTINGS has only global option to implement the password complexity/no of days for active user. But i need this feature to be based for per user/group
I don't seem to be able to find a migration utility for PIX rel 8.0.4 to ASA 8.6 is there one available will save a lot of time
View 1 Replies View Relatedwe have some RV042 Routers with Firmware 1.3.12.x we would like to replace with the new V3 hardware.
We downloaded the migration utility 1.0.2.2, which crashes for at least one device.
The release notes for the utility are for version 1.0.2.8, where some crashes seems to be fixed, but where can we download this actual version?? I can only see the (older) 1.0.2.2..
I tried to use Migration Utility v 1.2.2.0 with configuration file from older unit having VPN tunnels and application is crashing with windows MFC error(on several computers, so it is not related to PC).Migration from V2 to V3 of configuration not having VPN tunnels went ok.
View 4 Replies View RelatedHow to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model
aaa authentication login default group tacacs+ local
aaa authen enable default group tacacs+ enable
tacacs-server host x.x.x.x key xxxxx
Now when I telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. What is the process of configuring enable passwords?
I have migrated my ACS data from 4.1 to 5.1 and everything is working fine to test the connection I have configured a switch to get the authentication from the new Tacacs server, using my old username and password..i got in perfectly but when the switch asked my for enable which is the same password, it refused the password.(I have unchecked the <use a different password for enable> option) I deleted my switch from the Tacacs to enter locally, I went in with no problems..i thought that the problem may be from the old configuration.so I created a new username and password to check, and the problem still exist.
View 2 Replies View RelatedChanged my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
I upgraded my Linksys RV042 firmware to 1.3.12.19-tm and exported the config file, then tried to convert it using RV0xx_Migration_Utility_v1.0.2.2 in order to import it to a new Cisco RV042 (v3). The migration utility returns a config create fail message and fails to convert.
The LOG file ends with:
Get PORT_101 VLAN Group setting fail.
***log end***
how to make this work or how to move config file to v3?
how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
View 3 Replies View RelatedRecently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
the following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
[Code]....
Since i added another Member to the Stack, i'm facing the following problem: When i login with my tacacs user account, i will not be asked for the password. The same thing is for the tacacs account of my colleague, after entering the username he is logged in. It seems for me, that the passwords are cached only for this Switch.
We have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.what is the usage of key, we need a separate key for every device? or. [code]
View 9 Replies View RelatedI have an ACS 5.2 deployment and i want to upgrade it to 5.4 version.I have 2 server in my deplyement:
1/ Primary Server as Authentication server & log collector
2/ Secondary server as Authentication server.
What is the best way to do the migration? Normaly, i can proceed as follows:
1/ Deregidter each server from the deployement ==> Make both the servers standaone
2/ Upgrade the Secondary server.
3/ Upgrade the Primary server (without migrate the log server).
4/ Join Servers to the deployement.
what is the key point to note for migrating data from ACS 4.0 to ACS 5.0? how can I use Migration utility to migrate data from old version to new version??
I have ACS setup running with 1000 devices and more than 2000 users and 60 groups dont want to build new acs from scratch want to import data from old version?
I need to upgrade my ACS for windows 4.1.1.23 to 5.2 as we have come across the windows 2008R2 AD problem. Now reading the migration document it says I need to go to at least 4.1.1.24 first which will not be a problem, then I need a migation server, so that means I need another ACS server as the migration server. As I already have 2 ACS servers could I use one of them as the Migration server, ie take it out of production?
View 1 Replies View RelatedIf we need to migrate ACS 4.2 installed on appliance 1113 to ACS 5.3 what all the prerequisites...?
whether any hardware dependencies and the same configurations on 4.2 could be operated on 5.2 even after appliance changes...?
I need to Migrate from ACC 4.1(1) to ACS 5.4, Have configured Network Access Restrictions and Networks Access profiles in ACS 4.1(1), can i go for staright away migration and is the same supported in ACS 5.4
View 5 Replies View RelatedWe have to ACS cisco Box running software as 4.2 & 5.2. We want to upload all the data present in 4.2 ACS to 5.2 ACS.
View 6 Replies View RelatedI'm planning migration from ACS 3.3 to a new machine, so I'm thinking about new Cisco ISE.I have the following question: ACS 3.3 acts as AAA RADIUS with LDAP repositoriy for wireless deployment, using PEAP-GTC. Is possible, with ISE, to use a different EAP method, such as PEAP-MsCHAPv2 or EAP-TTLS?
In ACS 5.X I think it's only supported PEAP-GTC and EAP-TLS when identity repository is LDAP. Is the same in Cisco ISE?
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies View RelatedI think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
One of my customer wants to upgrade their Cisco ACS version from 4.0 to 5.3. The client has existing ACS version 4.0 windows on VM with two instance and need to upgrade to 5.3 Linux.As per my understanding following version are supporter to upgrade ACS to version 5.3 ACS 4.1.1.24ACS 4.1.4ACS 4.2.0.124ACS 4.2.1 but unfortunatlly there is running 4.0.I suggested to my client the upgradation for ACS and proposed this Upgrade lisence L-CSACS-53VMUP-K9 and CON-SAS-CSACS3V? how I can do the smooth deployment / Migration from 4.0 to 5.3 with (A/P)high availability.
View 1 Replies View Relatedwe currently have 4x ACS 4.1 (1) build 23 windows based and we are going to migrate to ACS 5.2 appliance 11211.the first pair we are using simply local authentication for multiple vendor firewall and routers, with one custom radius vendor-specific attributes, with now she exec.the second pair we are using for wireless clients authentication through AD, with dynamic mapping.
in order to migrate what would be the most suitable migration, whether to use Migration utility or export those ACS objects and import them into the new ACS 5.2.
I'm using Cisco Secure ACS 4.2 for Windows to configure and authenticate VPNs external groups and users on VPN 3K concentrator.Now I'm migrating to AC System 5.3.I'm trying to configure the new system to do the same work.
I have configured a new access profile with all RADIUS attributes, than an access policy.IPSec Phase 1 completed successfully but VPN client doesn't procede with XAUTH.ACS View reports the correct rule and access service.
Is there a simple way to migrate shared dACL to group/user mappings from ACS 4 to ACS 5? After migration using the Migration tool provided by Cisco I get shared dACLs and also I get all my users/groups transfered but these shared dACLs are not mapped to groups or users as previously. I understand that in new ACS we do not apply authorization directly to users/groups, but then if I had in ACS 4.x a hundreds of groups and each of these groups had a dedicated dACL (shared) applied as authorization attribute now after migration to ACS 5 I have to create separate authorization profile for each of these groups which is a lot of manual work. So I'm asking for an easy automated way to migrate authorozation rules to new ACS version.
View 1 Replies View RelatedI cannot access WLSE, after migration from ACS 4.2 to ACS 5.2. WLSE was configured with tacacs+ management. In ACS 5.2 I've configured the optional custom attributes: groups = "System Admin"
View 2 Replies View RelatedI'm with problems to migrate the ACS 5.1 hardware to ACS 5.1 vmware. In my infraestructure I have a appliance with ACS 5.1 and I need to migrate to vmware to do HA. I installed vmware as the Cisco ACS recommendations. I made a backup of the ACS hardware and copied the local disk vmware ACS.
When I start the restore process after a few minutes an error occurs:
UMA/admin# dir
Directory of disk:/
33293306 Jun 08 2011 16:51:38 bkp-production-110608-1433.tar.gpg
5862 Nov 07 2009 01:06:32 favicon.ico.1
16384 Jun 06 2011 17:54:34 lost+found/
[Code]....
I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....