Cisco AAA/Identity/Nac :: Backing Up And Restoring ACS 5.x?
Jul 18, 2012
Can I check I've understood the ACS backup and restoration procedure?A backup run from exec as "backup <filename> repository <repository name>" is the same command run automatically by "System Administrator -> Scheduled Backups" in the GUI, just scheduled for me...That backup is enough to completely restore ACS to its state at the time of the backup, including ACS config (Users, Devices, NDGs, etc.) and the View database (reports, historical data, etc.)It's entirely separate from the backups ACS View makes as part of it's purging action. (I only need those if I want to go way back in time, I don't need them to restore a functioning ACS with the recent reports and logs) if I still have a working ACS left after the primary dies, is it not just easier to promote the survivor to primary and then add the replacement in as a secondary and let replication restore the configs? Perhaps re-promote the new box to primary afterwards?
View 7 Replies
ADVERTISEMENT
Jul 14, 2012
I think I understand purging in ACS5 now:Purging occurs when the database either gets too large or when data is too old (up to 12 months, although I assume you can leave the setting blank and no age related purging takes place?)Data is purged by making incremental backups and deleting the backed up data from the local database until the size/age pressure is relieved.So, my question is, how do I later look at the purged data? If I suddenly need to look at logs from last year what am I supposed to do? If I restore it surely I'm just going to go over the size limit again and it'll just get purged, no?
View 6 Replies
View Related
Sep 21, 2012
I have several network shares in my home using two different NAS devices.I am looking for recommendations for backing up the data on these devices.I currently use CrashPlan for backing up my computers.I have 1 share (documents) that I would like to somehow get backed up to CrashPlan (I'm not specifically tied to CrashPlan, it's just what I'm using now). The rest of the shares I would like to just backup locally in the event of hard drive failure.I have tried having my iMac mount the documents share automatically and include that in the CrashPlan backup, but it seems unreliable.
View 6 Replies
View Related
Sep 14, 2011
I've just got a brand new 1 TB external hard drive. I want to use this to back my computer files on. I move back to University soon and ill probably get robbed, so i was thinking, if I were to leave this new drive back home on my old machine, could i put files onto it over the internet? Of course id have to make sure the machine at home is on but thats no problem.
View 2 Replies
View Related
Oct 2, 2012
We have a 2300 RPS with single 1150WAC power supply (C3K-PWR-1150WAC) which is connected to one 2921 Router. But it is not backing the rotuer.
Router 2921 running IOS
c2900-universalk9-mz.SPA.152-2.T1.bin
I am getting the following logs:
*** External Redundant Power Supply is present, but type is unknown or not supported.***
%ENVMON-1-POWER_WARNING: : RPS Online Insertion and Removal is not supported.
Do we required any configuration to be done on Router end.
Note: The RPS is backing 2960 Switch.
View 2 Replies
View Related
Apr 2, 2013
We are in the process of upgrading Cisco LMS 3.2 to Cisco Prime 4.2.While restoring the database, we are getting attached msg. We tried by removing security policies from folder but still the error is same.
View 1 Replies
View Related
Jun 9, 2011
Is this known bug that you cannot backup (export) full running or startup config from this switch? Will this be fixed in next firmware? (btw, still no new firmware with CDP support for this script altough sales literature mentions that it should have already been available...)Switch does let you backup configuration as text file (which looks similar to normal IOS config syntax), but it doesn't contain all settings so the file is pretty much useless to restoring the config to another switch.At least following settings are missing from the file:
- management interface config (including DNS settings)
- passwords
- remote syslog server config
- SNTP server config
- IGMP config
- LLDP config
View 2 Replies
View Related
May 8, 2012
I have a home directory on a linux server and i would like to figure out how can i schedule regular backups/syncs onto an external hard drive on a windows machine.
View 8 Replies
View Related
Jan 13, 2011
I have a 3550 I can boot into rommon, when I type flash_init the switch freezes and shows a weird ASCII character?
View 4 Replies
View Related
Feb 3, 2013
Region : France
Model : TD-W8151N
Hardware Version : V3
Firmware Version : latest
ISP : OrangeF
Received today my modem, configured it with some effort but it works... Now i'm trying to save ma config file (rom-0) using web interface, and when clicking on Maintenance > Firmware, i'm always getting:bug.jpg Seems to be a big bug
View 4 Replies
View Related
May 18, 2012
I'm trying to restore backup after upgrading Cisco Prime v4.1 to v4.2. However, getting the following error in the log. [code] The log shows the error is a continuous one and affraid it may be a loop. Currently my restore progress is stuck at 70%RME restoration.[code]
View 2 Replies
View Related
Oct 4, 2012
i tried to restore backup from LMS3.2.1(windows) to LMS4.2 virtual appliance. once the back up is completed, the home page takes forever to load. i opened TAC case, and the only way out seems to be configuring from scratch after importing the devices. i, imported the devices and this didn't cause any problem. But, making the configuration from scratch is something i would like to avoid if possible.
View 1 Replies
View Related
Jul 3, 2011
I have got a working 5505 running 8.3.1 firmware and 6.3.1 ASDM.I have now purchased a second unit and ensured that both units are running the same firmware levels etc.
I have via the ASDM created a backup of the working units configuration, and now i want to load this configuration onto the second unit.I have connected the consiole cable up to the second unit and tried pasting in the contents of the configuration file but no joy.I want to ensure that my configuration will work on this unit before i configure the two units in Active/Passiove configuration.
View 1 Replies
View Related
Jul 10, 2012
I am trying to research the possiblity of backing up IOS and configurations from an Etherswitch module, and being able to store the files onto the Host Router's flash (3925 ISR). and then being able to recover that IOS and configuration, in case I have to replace the Etherswitch Module.
View 1 Replies
View Related
Nov 8, 2012
Creating an image is almost always a success. However, when restoring, sometimes the process gets stuck somewhere (the client reboots prematurely if that happens) and more than often the clients can't boot into Windows anymore.All clients have the exact same hardware.Now I know the image can't be the problem, as I've restored this exact image to a client two days ago and it booted perfectly fine. Everything worked.I tried to image two clients at the same time. The first thing I noticed was that the method used was NFS and not UDPCAST, which it should be. Now I know it wasn't using multicast because the imaging went asynchronous.
View 14 Replies
View Related
Jun 18, 2011
It's not wireless but the leads and cables are all plugged in?!
View 11 Replies
View Related
Jun 23, 2011
I have te E4200. When I backed up and restored my media server settings were not there as well as ftp, I found this out upgrading to 1.0.02 that turned out to be a huge waste of time anyways.
View 7 Replies
View Related
Mar 26, 2011
Restoring a BARS file created from one server onto a different server?
View 6 Replies
View Related
Nov 6, 2012
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.
View 1 Replies
View Related
Apr 29, 2012
What is the exact command in restoring the running-config on a Nexus 7010. Is it the same command / procedure as the Cisco IOS?
View 3 Replies
View Related
Sep 16, 2010
I just upgraded to a E3000 from a WRT54G and I am having some issues with network speed.I have no special settings and have even tried restoring factory defaults and upgrading to the latest firmware to no avail.The time I notice the biggest hit is when transferring files locally on the network (WiFi and LAN).Let me note that I do know the difference between MB/s & Mb/s and the like.I have Comcast 20Mb/s Down, 1.5Mb/s Up (just a FYI, the main issue is local transfers)
With default settings my Laptop (ASUS N82JQ, Atheros AR9285 Wireless Network Adapter), connects to the router at only 65Mb/s (with full signal).Upload seems to be more decent ~600KB/s (Transferring files from wireless n laptop to the gigabit desktop).Download seems to be limited to ~150KB/s (Copying files from the wired gigabit desktop to the wireless n laptop).These speeds are horrible! ~5hrs to transfer 3GB of data!
One of my laptops had a card that was capable of both 2.4 & 5Ghz and I was previously getting ~2000-5000KB/s (2-5MB/s) transfers with this router (But I had to do a system restore on it and reset the router). My ASUS laptop seems to only work with 2.4Ghz though. If I change the 2.4Gh Wireless settings on the router to "Auto(20MHz or 40MHz)" the laptop will connect at 150Mb/s, but the speeds are the same slow speeds as above.
View 9 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
Oct 6, 2012
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
View 2 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
May 11, 2012
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Aug 28, 2012
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
View 4 Replies
View Related
