I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies View Relatedis there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
Number
#Name
#Description
#Type of Value
#Inbound/Outbound
[code]....
to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]
When attempting to register an ACS instance to a primary (via System Administration -> Operations -> Local Operations -> Deployment Operations), I receive the following error as a popup in my browser:
"This System Failure occurred: /opt/CSCOacs/db/acs.crt (No such file or directory). Your changes have not been saved.Click OK to return to the list page."
I had 2 ACS 1120 appliances clustered, 1 suffered a hardware failure about a year ago so I replaced it with a VM. That one is now the primary. I'm now wanting to replace the secondary instance (the remaining 1120 appliance) with a VM as well. I removed the current appliance from the network, installed the VM using the same IP address, and attempted to register. It failed as per the above error. After trying this a number of times, I then decided to return the 1120 appliance to secondary status and attempted to register it with the same results as above.
ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
ACS Version : 5.2.0.26
what is the maximum number of AAA clients supported by a single ACS5.3 instance?
View 1 Replies View Relatedi have planned a deployment with one acs in Europe working as primary, one acs in europe as secondary and one acs in USA as secondary also.
I can add one acs in europe to the deployment as secondary. When I try to add the acs in USA to the deployment - Nothing really works.
The status shown in the primary is offline (red) and status pending. It stays like this for hours. When I log in to the gui directly on the acs in USA, it still has status primary.
The two acs are transparently connected. There is WAN optimization (cisco waas) in between the two datacentres..
I have two ACS 5.2 working in redundancy Primary and Secondary my question in when my primary ACS goes down i can´t see the log in the secondary ACS. I read in the documentación that only one ACS can be configurated for working like logg collector server. Now I configurated my secondary ACS like logg collector server now when my Primary ACS goes down i can see the logg. Finally when my Secondary ACS goes down i can modified the ACS Primary Configution by show me the logg.. Is possible to do this automaticaly for show me the event logg ? when the ACS that is configurate like logg collector server goes down pass the event other ACS automatically..
View 3 Replies View RelatedI have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
View 1 Replies View RelatedWe are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?
View 2 Replies View RelatedI've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies View RelatedWe have 4 ACS 5.3 Servers connected as Primary and Secondary Servers.We use a "RSA SecurID Token Servers" External userdatabase for authentications and are able to sucessfully authenticate (vpn-)users when the requests are send from the primary ACS Server.As soon as a secondary ACS server sends the request to the RSA server the request fails. "Node verification failes"
On the RSA Authentication Manager 6.1 Server, we have created a Agent-host wich contains the 3 secondary nodes (FQDN and IP's). The "sdconf.rec" file has been installed on theprimary ACS Server and are automatically (so it looks like) replicated to all ACS Servers.Still none of the secondary server are able to authenticate the users agains the RSA server.
I am attemtping to install new ssl certs on our 5.3 cluster. I was able to generate the CSR on the Primary host. When I attempt to generate the csr on the secondary host, I receive the following error:
This System Failure occurred: Error while remotely calling Primary to create: com.cisco.nm.acs.im.certificate.CertificateRequest Object{ request=[B@144cead, privateKey=null, encryptedPrivateKeyPassword=[B@5ce155, certificateSubject=CN=xxxx.xxxxxx.net, keyLength=2048, digest=SHA1, timeStamp=null, friendlyName=null, guid=[B@1cd99ca, description=null, name=xxxx.xxxx.net, version=0, id=0}. Your changes have not been saved.Click OK to return to the list page.
Both hosts are running identical versions:
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.3.0.40
Internal Build ID : B.839
I have a question about the number of Cisco licenses needed in two cases for ACS 5.3 Virtual Machine.One primary + One secondary : Just one license for all or one license for the primary + another one for the secondary ?One primary + several secondaries : Just one license for all or one license for the primary + just one license for all the secondaries ?
View 1 Replies View RelatedMy customer has an ACS 1121 version 5.4. Now we want to install a secondary ACS 1121.
View 2 Replies View RelatedWe recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
View 4 Replies View RelatedNoticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?
View 3 Replies View Related I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
This System Failure occurred: Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair.
View 6 Replies View RelatedI have cisco ACS 4.2 (1) build 15 working fine, but it can save historic logs for Passed Authentications, Failed attempts. etc.
View 1 Replies View RelatedI have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?
View 3 Replies View RelatedHaving an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
Why my asa5520 brings out:
sh curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
while i am logging in with my username which is XXXX. And in my ACS accounting logs I cannot see which user did what.
I have a pair of ACS appliances running 5.1 code. The appliances are set up as a replicated pair. I have valid local and trusted certificate authority certificates on the primary.
The trusted certificate authority certificate gets replicated to the secondary. Obviously the local certificate doesn't get replicated. I need to generate a certificate signing request on the secondary but it doesn't seem to allow you to do it.
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
[code]....
I have some queries regarding on the report generation for on Cisco ACS v5.2.
1) Can we schedule to run a customized report on ACS and then email the report to the user?
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
3) Can we configure user authentication logs to be viewed on WCS.
I am using CiscoSecure ACS v4.2 appliance, in there any way that RADIUS logs upload to FTP server because it has limitation to store RADIUS logs.
View 15 Replies View RelatedWe are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
How to delete the accounting/authorization Reports or logs ?
View 2 Replies View Related