Cisco AAA/Identity/Nac :: Unable To Use ACS 5.2 With Logs?
Sep 6, 2011
I have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
We recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config: interface GigabitEthernet1/0/2 sw access vlan 2 sw mode access authentication control-direction in authenticaion host-mode multi-auth authentication port-control auto mab spanning-tree portfast
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)
ACS 4.2 and remote agent was working properly two months before. But in past two months we are facing weird issue in RA server.For Somedays we are missing logs from both ACS and RA server. Once we notice this we use to restart the services in ACS to give workaround. But due to this we loose our daily logs intermittently and facing risk in without having logs.This is not like communication between ACS and RA is not at all happening. It happens properly for a week or month, but again it is going bad without any config change. CSAgent.ini file is properly configured.Full version is 4.2.1.15 and patch is 10 in acs and ra.ACS and Remote Agent Major and Patch version are same.
Our office has 4 Cisco Aironet 1140 access points mounted on the ceiling. They are all powered via PoE. Every few days 3 of the 4 access points hang and have to be rebooted. When they hang I am not able to connect to their web interface to check the logs. The fourth, for some reason, always seems to stay alive.
I checked the configuration for all AP's and "Hot Standby" is disabled They are all using static IP addresses. I've tried 2 different banks of static IP addresses and 3 of 4 still hange so I don't think this is an IP conflict. I have saved the configurations and compared them and they are all identical, where possible.
They all have software version: 12.4(21a)JA1
They all have bootloader version: 12.4(23c)JA1
I have tried to download the latest software/firmware, but unfortunately I do not have a valid service contract in place with Cisco and therefore can't download the latest version. All of our CISCO hardware was purchased from Amazon resellers but no luck. I have also tried to contact Cisco and they can't seem to assist either. How I can get a valid service contract that information would also be very useful!!!
why 3 of our 4 access points would hang? When they hang, I can't login to the web interface and the logs seem to reset when I reset each access point. I have also set up an rsyslog server and I don't see a log entry that would indicate a problem.
I'm currently running ACS 5.3 Patch 7 in a VM on VMware ESXi. I download the application upgrade bundle, and placed it in my SFTP repository, and ran "application upgrade filename repository name". It throws an error that the manifest file is not found in the bundle.
I tried putting the ACS.gz file in an FTP repository, and even in an ISO file to attach to the VM. In all cases I receive this same error.I did verify the md5sum on the file to make sure it wasn't corrupted..
Just got my server team to install ACS 5.3 on a virtual machine.Unable to access the web interface url...Nothing happens when i try and access this.how i can fault find this as i have cli access.
When I'm trying to make backup in ACS5.1(in log collector node) it gives me the following error:
FullBackupOnDemand-Job Incremental Backup Utility System Wed Jul 13 16:50:23 EEST 2011 Incremental Backup Failed: CARS_APP_BACKUP_FAILED : -404 : Application backup error Failed,I did it via Monitoring Configuration -> System Operation -> Removal and Backup and then "Backup now" bottom.
I tried to restart ACS services through cli (application stop/start) and different repositories (ftp, tftp) but without success.
Since some months I'm running ACS 5.2 appliance without any problems.When I want to change the password from a local user there's a popup message:
"This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page." I tried different users but I am not able to change any password. Always the same message.
I am not able to backup ACS 5.x server by means of SFTP protocol. We use ACS 5-2-0-26-2. My configuration of repository is:
repository SFTP url sftp://x.x.x.x/home/user user user password hash 455ad
command 'backup acs01 repository SFTP' does not work and I receive the following error message on ACS server:
%SSH connect error
On my sftp server I can find the following error messages:
Apr 6 06:57:46 CR01 sshd[8561]: Accepted password for user from 10.20.86.72 port 47924 ssh2Apr 6 06:57:46 CR01 sshd[8563]: Received disconnect from 10.20.86.72: 11: disconnected by user
How to successfully performed backup by means of SFTP protocol? Do I need any other configuration settings except repository? Do I need to store my SSHD RSA key to ACS? I am able to copy files using SFTP from other computers, so it seems that SFTP server is set correctly.
I have multiple AAA Clients that I need to add. The way I manage the clients, I often make changes of moving IPs from one group to another. I require that all clients use "IP Ranges". I try import the following IPs (8.8.8.1;8.8.8.3;8.8.8.9-10;8.8.8.25) I need them all to be ranges, but what happens is after I import it, I then go to that AAA Client, it makes them all "IP Range(s) By Mask" and siplays it like this.
I'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.
I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
This System Failure occurred: Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
I'm unable to login Switch.......getting following error...I have tried this commands on other 3560 that worked...when I enter user name & password re logging authentication failed error occurs .........This is remote site Switch.
I am in the process of setting up ACS 5.2 for a network and have run into an issue when attempting to apply the following aaa commands to a network device:
aaa authorization exec default group tacacs+ local if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated
Once the commands have been applied to the device configuration I get "command authorization failed" when attempting to do anything. Taking a quick look at the TACACS Authorization reports I see a failure reason of "13025 Command failed to match a Permit rule" and under the Selected Command Set "Deny All Commands" is listed. After doing a bit of searching, I noticed some articles online that indicate I should be able to specify the appropriate command set to the authorization profile under the Default Device Admin policy. However, when I open up a Device Administration Authorization Policy, nowhere in the window does it display command sets that I can select from.
For unknown reason I cannot get WLC to authenticate correctly with ACS 5.2. it's very strange in the sense that when I checked the log. ACS authenticates and authorized the WLC 4402 but I cannot log to the WLC. login screen appeared, if I typed user name it jumped to Controller> user: password:
No matter what I typed (internal or external users) nothing seems to work. This is my frustration, I have no problem authenticating routers and switches except WLC 4402.
