Customer is running acs4.2 and need to upload thousands of mac addresses in ACS database for MAB. how can this be done? does cisco suport csv file import in acs4.2 or any other utility?
View 1 RepliesI'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.
I am using CiscoSecure ACS v4.2 appliance, in there any way that RADIUS logs upload to FTP server because it has limitation to store RADIUS logs.
View 15 Replies View RelatedI have about 1400 devices in LMS for this one customer.
They have 1200+ IOS devices
200 + catos devices
My problem is we use 2 differnt change scripts in Config Editor for IOS and CATOS. I have a list of all of the IOS and CATOS devises in txt format.
Is there some magical way to just upload the txt files into Cisco works instead of searching for them during the Config Editor batch job creator? I find it takes hours to sort this batch job out
Building was recently upgraded from cat3 to cat6 wiring and I'd like to ssh into each Cisco C3750 stack and change every port on the stack to autonegotiate. I can release each port one at a time by doing "no speed" and "no duplex" after selecting each port (interface fastethernet x/x/x) , but it's taking forever as there are many stacks and each stack has a number of 24 and 48 port switches. The stacks are a mix of fastethernet and gigabit ports (C3750 and C3750G switches) if that changes anything command wise.
View 2 Replies View RelatedWe have created a sample configuration for ISRG2 2901 Router. The sample configuration is long, and with copy/paste it is possible to skip some lines, and it is difficult to ensure the configuration of every device is standardized due to this error possibility. What we are trying to achieve is first create a template from this sample configuration file, and then create configuration files for each device seperately and automatically. After creating this configuration instances, we want to be able to distribute the configuration files (and possibly the ios) to the devices during the staging phase. Since there are about 1000 2901 routers, creating configuration files is important?
From searching we have found the following tools:
1) CCE (Cisco Configuration Engine): This tool seems to be very efficient for distributing the created configuration files. We may use the serial number of the device, and it provides almost zero touch provisioning of the configuration files to the devices. Creating the configuration file from the template seems to be manual, i.e enter the ip addresses of the interfaces, the routing tables one by one for each device. How can we use velocity template for device configs?
2) Ciscoworks LMS Prime: It is possible to create a baseline template for the devices, and after getting the backup configuration of the routers, it is possible to compare the actual configuration of the device with the baseline template, and understand if there is any difference with each other. This is indeed very useful in order to keep the configuration standardized, we again could not find a way to create bulk configuration files from the baseline template.
3) Solarwinds Config Generator: This tool is useful for creating a configuration file from a template, but again not for automatically creating configuration files, and needs manual intervention.
4) Excel Macro: It seems that some people have achived to automatically create configuration files with using an excel macro, but we could not find a procedure or tip of how to achieving this.
5) Pearl or TCL/TK Script: Again since we are not software developers but from networking field, it is difficult to achieve a working form of this scripts or codes due to to lack of documentation and development experience.
I just upgraded my cable modem from the Motorola Sufboard 5120 to the DOCSIS 3.0 capable 6120. Provisioned it with Comcast and their "Blast" service (supposedly it caps at 16 down, 2 up).
I had, in the past, used my desktop via N-format wireless (DWA-525 N-format PCI adapter and DIR-655 N-format router) to do a speedtest.net test. I was getting 16 down and 2 up (as advertised). When I switched to the 6120, I did a speedtest.net test again to see what kind of gains, if any, I was getting. Turns out, I was getting 20+ down (nice improvement) and 1/2 Mbps up (a fourth of what I used to be getting?). Called Comcast. They "sent signals" (don't they always?) and claimed that it fixed it. My download speeds increased a smidge (about 22), but my upload speeds were still .5. Called Motorola, they had me do a few things and now I get 1 Mbps up and 27 - 30 down via wireless.
My download speeds are great. I'm content with that. If I hardwire from the cable modem directly to a ****py old laptop, a speedtest.net shows 4 Mbps up. So why do I get such a high upload speed when hardwired (4 Mbps), but a fraction of it (1/4th) when wireless? I'm not using any other devices to sap bandwidth (some are connected -- i.e. another desktop, my Droid phone, etc., but aren't actively pulling packets). And why would it go from 2 up (on my desktop via wireless in the past) to only 1 up (via wireless now) when the setup is the same across the board (as best I recall) other than upgrading my cable modem.
Since I get 4 up when hardwired straight off the cable modem, I assume my DIR-655 is slowing me down somehow. How to pick up the pace a bit? I've already tried the standard "power cycling", etc.
Oh, and the reason I go wireless -- my cable modem and wireless router are in my game room in the basement for my PS3. My desktop computer (and the wife's desktop computer) are two floors directly above it in our "office". Signal strength is "excellent" ... always has been. And again, pretty much everything is the same.
[URL]
How can I change the IP Address of cisco ACS 5.2 itself through the web?
View 3 Replies View RelatedI need to change the IP address of existing primary cisco ACS 4.2 (windows based). What is the required procedure to change the IP address?
View 4 Replies View RelatedIs it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?
View 2 Replies View RelatedWe recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
View 4 Replies View RelatedA short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies View RelatedI'm currently evaluating a scenario where AAA request are load balanced across multiple ACS 5.3 instances. The application delivery controller runs in L3 mode, which naturally causes the original packet's source IP address to be replaced by a randomly selected proxy address.As far as RADIUS is concerned, I can perfectly determine the originating NAS by means of a 'Device Filter' condition. Unfortunately, ACS seems to lack the possibility of achieving the same for TACACS+. According to the user manual, only the actual IP address from the received packet is taken into account. I've also come across the 'NAS-Address' attribute in the protocol dictionary, but it can't be used in a custom condition either.how to retrieve the initial device IP address from a TACACS+ request in order to use it for further policing?
View 8 Replies View RelatedWe have c3750s running NAC 4.8. Occassionally, a workstation will flap between the untrusted and trusted vlans. We updated the NIC drivers on the workstation, we verified SNMP was functioning correctly on the switch, and we allowed the phones to act as the pass-through between the workstation and the switch. What could cause the workstation IP Address to not redirect to a TRUSTED VLAN from the NAC_UNTRUST VLAN? All updates have been downloaded to the workstation.
View 1 Replies View Relatedi would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
It´s a Cisco 892 Integrated Service Router. Code...
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds.
View 6 Replies View RelatedMy company requires each user dial-in must be a fixed IP; The old acs4 can,but I cannot find the same configration item in the ACS5.2
View 2 Replies View RelatedI am trying to configure the ACS with AD in the identity store but am running into the following issue.I enter the AD Domain Name and username and password and hit the 'Test Connection' button and receive a DNS error stating that it 'Cannot resolve network address'.I have logged into the CLI and test to the domain name from there and it works fine.
View 5 Replies View RelatedI cannot sponsor a guest account using his/her email address. When I try to create a guest account, its show as file attached.
For example,
email.m@email-me.co.xx ->>>>>> cannot create
email.me@email-me.co.xx ->>>>>> can create
ISE version 1.1.1.268
Patch version 1
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies View RelatedAt first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I dont't know how to do it.
I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this:
Step 1Add a static IP attribute to internal user attribute dictionary:
Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users.
Step 3Click Create.
Step 4Add static IP attribute.
Step 5Select Users and Identity Stores > Internal Identity Stores > Users.
Step 6Click Create.
Step 7Edit the static IP attribute of the user.
I just do it,but it's not work.When I use EasyVPN client to connect ASA 5520,user could success to authentication but will not get the static IP address which I configure on Internal Users,so the tunnel set up failed.I try to Configure a IP pool on ASA for ACS users get IP address,and use EasyVPN client to connect ASA , everything is OK,user authenticate successed.but when I kill IP pool coufigurations and use the "add a static IP address to user "configurations,EzVPN are failed. how to use ACS 5.2 to create a static ip address user for remote access VPN?
I recently switched from wireless connection to a normal one because i had speed issues with my internet but since then i can download just fine, even faster than before, but my computer seems to be unable to upload any data on the internet. I mean i go on skype and talk to my friends but when i have to upload a .jpg or i want to send somebody a message with bigger content than 5 KB it just keeps uploading but does nothing. I searched for virus and even disabled my firewall but it doesn't seem to work.
View 5 Replies View Relatedupload configuration to the Cisco 877? normaly i am using the TFTP server,
View 30 Replies View Relatedhow can i upload IOS in Switch when it is in ROMMAN Mode , its show IOS in flash but may pe Corrupt, show how can i put New ios in Switch 3560.
View 1 Replies View RelatedI need to upload IOS c7200-advipservicesk9-mz.124-15.T16.binin 7206 NPE 400 router , As per cisco recommendation router should have DRAM : 256 MB ; Flash : 64I think my router contain only DRAM= 128 MB but not sure.
how much DRAM & Flash it contains.
Router1#sh versionCisco Internetwork Operating System SoftwareIOS (tm) 7200 Software (C7200-IK9S-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)Copyright (c) 1986-2003 by cisco Systems, Inc.Compiled Thu 05-Jun-03 20:58 by dchihImage text-base: 0x60008954, data-base: 0x61E0C000
[Code].....
I would like to upload the signed certification to LMS 4.2.2.After checking ( 4. option ) I choosed the 6. option and press "y" for questions and the perl script is freezing.
View 2 Replies View RelatedHave existing 1811 router works fine. Purchased 2911 configured same as 1811. Download speed same as the 1811 the upload on the 1811 is 60 mb. the upload on the 2911 is 2 mb.
View 1 Replies View RelatedI have 50GB storage on box.com and DropBox.So i just want to back up my files there.Web interface just sucks and offers no customization.Their desktop programs are only to sync, and dont do much to just upload.I dont wanna sync folders, i just want to upload files!
View 13 Replies View RelatedI'm just wondering how I would get a faster upload rate. Is it my modem? Is it my internet connection? At the moment my upload rate is
View 4 Replies View RelatedI was uploading a big 2gb file to my FTP server, it was all going good and I managed to upload the whole thing hassle free. After I finish I log out, and return about 3 hours later and try to log back in, to no avail.WinSCP gives me the following error:
[code]....