Cisco AAA/Identity/Nac :: Stopping Update In ACS 5.1
Mar 15, 2011
I tried to update my ACS 5.1 appliance. I applied patch 5.1.0.44.3 and made an big mistake: I booted the server due to the fact that it was not reachable after one hour after appplying the patch. Now the server shows following message, when I try to apply other patches: Can not process requested software update operation since this ACS Instance currently has a software update inprogress.
My question: Is it possible to stop the upfate process and apply the other updates or is it possible to revert this update to go back to the previous patch level. For information: the appliance shows only the patches 5.1.0.44.1 and 5.1.44.0.2 installed.
I'm running into an issue trying to update my NAC from 4.8.3 to 4.9.1. I have also tried to update to 4.9 and got the same error. I keep getting Error: Failed to upload file Content length exceeded (669550974 > 524288000) which indicates to me that the NAC is expecting to see a max file size of 524288000 but the tar.gz that I'm sending is the 669550974. I have not seen anything in the release notes about having to do anything special to get this to upload. Has anyone else run into this issue and got it resolved?
I want to install cumulative patch 9 for Cisco ACS 5.2.0.26 I found installation guide: [URL] Instructions on how to install the patch ===
1. open CLI console
2. define new repository in which the 5-2-0-26-9.tar.gpg resides
3. issue: 'acs patch install 5-2-0-26-9.tar.gpg repository YOUR_REPOSITORY' We have configured 2 ACS appliances in "Split ACS Deployment" How to install cumulative patch on 2 servers?If I install on primary server, does the patch replicate on secondary?
Our company has installed ACS Version: 5.1.0.44.6 Internal Build ID: B.2347 with patches: 5-1-0-44-5, 5-1-0-44-6. The security policy of our company includes a password change every 3 months. Our programmers had written a script that allows us to do it. When testing revealed that the script does not work. This is due to the fact that it is not possible to enter the mode "acs-config". In determining the reasons it was found that to enter this mode there is a limit on sessions (6 sessions). When the number of connections becomes larger than 6 then the script does not work. The documentation says that the update is not active sessions is set with terminal session-timeout. In this case, the terminal session-timeout 30. But after 30 minutes of the session will remain active. It interferes with our script.
We have a vpn L2L with an ASA and C2900 and always stopping to ping each other but the vpn still UP and can each the others devices behind the peers.
Everytime we have to issue on router "clear cry isa peer" or on asa "clear ipsec peer" to start to ping each other but after seconds it's stopping to ping again.Is there something to fix it permanently? We did some debug crypto on asa but no information was logged.
I am getting these unwanted entries on my syslog server.03/10/2012 12:57:48 172.21.113.20 Error 23898: Interface FastEthernet0/1, changed state to downI tried to stop them with no snmp trap link-status but it hasn;t worked.[CODE]
I am having a huge problem since yesterday. I was using my wireless connection like always and it has randomly started to stop working for brief periods of time. It's like a continuous cycle where the internet works smoothly and fast (like always) for 30 secs at a time, then it goes into 15 secs where nothing works.
First, I'm running Windows7 64 bit. So whenever I download a decently sized file; my download will start and get good speed for a few minutes, then it will drop off and stop and my connection to the internet will be lost for a short time while the connection resets. This happens if I'm using a program like Steam to download a game, torrenting something, sometimes on my Xbox 360 when it needs to update itself or a game, occasionally on a large app or album off of iTunes or patching an online game. However, I have no issue watching YouTube videos or playing an online game while also having TeamSpeak running in the backround to chat. I don't lose connection when browsing the internet at all and recently I was able to stream a live event without issue but I only tried that once (I don't have Netflix or anything similar).It usally isn't a big issue because my download will pick up where it left off most of the time but its a pain in the butt to have to add on an extra hour to a download sometimes for this.
I haven't been able to get a decent answer to no matter how much googling etc I do. We have a problem in our flat where any time someone downloads something everyone else in the flat loses access to the internet until that person finishes their download or stops it. We are all accessing the internet through the same router, 3 of us wirelessly and 1 wired. The computers which are for some reason blocked by the other person downloading can't even access the router to do a reset or work out whats happening. [URL] gives our download speed as 14.80Mbps which isn't great but okay for good old NZ.Why would it be that 1 person downloading is preventing the others from accessing the net, do some downloads somehow take full control of all the available bandwidth ?.And is there any way to make it so that it doesn't happen, like make it so no computer can use all the bandwidth at a time ?, ie my flatmate can download his whatever but I can still send emails etc at the same time.
I am working on LMS 3.2 . Tried to stop the daemon service with " net stop crmdmgtd ". It stuck on stopping state since few hours now. I can still open the application. How to terminate the previous command and restart the daemon service.
I am experiencing strange problem about slowing down the internet speed after downloading is stopped in between. I then have reboot the desktop to regain the speed.
My networking as below:
DSL Modem Dlink DIR-655 Router Desktop A (Wired Network) Desktop B (Wired Network) Laptop (Wireless Network)
If I am downloading a file (1gb) on Desktop A and for some reason I have to stop it, then internet connection is desktop A , desktop B and laptop is almost killed. To get the speed back, I need to reboot Desktop A. All computers are on Windows 7.
If completely download the file, the internet speed is good on all the computers. Before downloading the speed is: After stopping the download the speed is :
I have a RV082 router that is currently in prod. I have a Dell Powerconnect 5424 switch that I'd like to use in place of the unmanaged switches I am currently using.I have the switch configured with it's IP, subnet, gateway, etc. I can plug devices into it and communicate with no problems. However, when I attempt to plug in the router, nothign will communicate to or from the switch. The devices I plugged in will not talk to each outer, ping the switch, or the router. Also cannot ping to the switch from a device plugged into the router. If I unplug the router, comm opens back up.
I have a RV082 router that is currently in prod. I have a Dell Powerconnect 5424 switch that I'd like to use in place of the unmanaged switches I am currently using.
I have the switch configured with it's IP, subnet, gateway, etc. I can plug devices into it and communicate with no problems. However, when I attempt to plug in the router, nothign will communicate to or from the switch. The devices I plugged in will not talk to each outer, ping the switch, or the router. Also cannot ping to the switch from a device plugged into the router. If I unplug the router, comm opens back up.
I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]
The other day I set up a firewall on my Cisco 1841 router, it all seems to work fine except for a few small problems. 2 wireless devices an iPhone and an Android tablet are having some problems with 1 or 2 apps. iPhone 6.0.1 Facebook app and the App store will not load Android tablet ICS BBC iPlayer and Google play app store wont load or play content. Both devices with their issue were working fine until the new firewall was installed. I’ve tried opening ports and adding ACLs but nothing seems to work. I’ve included my start up config. All other PCs, laptops, smartphones and iPads work fine.
Building configuration...
Current configuration : 5551 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
The other day I set up a firewall on my Cisco 1841 router, it all seems to work fine except for a few small problems. 2 wireless devices an iPhone and an Android tablet are having some problems with 1 or 2 apps. iPhone 6.0.1Facebook app and the App store will not load Android tablet ICS BBC iPlayer and Google play app store wont load or play content. Both devices with their issue were working fine until the new firewall was installed. I’ve tried opening ports and adding ACLs but nothing seems to work. I’ve included my start up config. All other PCs, laptops, smartphones and iPads work fine.
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon LDAP:Externalgroups groupname1 Result Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working - Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2. - Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address. - Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
how profiling works exactly ?How intelligent is the profiling engine, meaning: Will it discover that one device has more than one different MACs and will merge the entries in the database ??
Example:This is in fact the same device, there is only one WLC-2500 in the network ....If it can discover that, what needs to be configured on the ISE to do that ?
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
