Cisco AAA/Identity/Nac :: ACS V5.2 - Any Limitations On Import Users

Mar 21, 2012

on ACSv5.2...are there any limitations on the number of users that can be imported via CSV file...i.e. will the ACS handle 250,000 internal users for example?

View 1 Replies


AAA/Identity/Nac :: ACS 5.4 Import Users With Expiration Date Field?

Apr 7, 2013

between fields in import template file (add or update) for internal users is no column for expiration date ([URL]). This field is not defined also for export file.
My question is: (How) is it possible import new users (or update existing) into internal db with expiration date field?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Evaluation Limitations?

Mar 30, 2013

I've setup a Cisco Secure ACS server 5.1 in VMware ESXi everything seems to be working fine, however under the options for Policy Elements > Authorization and Permissions > Device Administration > Command Sets there is a command called "DenyAllCommands" that was there when i first installed the ACS.  Is there any way to remove this?  When I try to remove it i get an error that thats it can't be removed or modified.  I'm writing a report on the Cisco ACS for university, if this is a limitation of the evaluation licence I will need to reference it. If this is a limitation and provide a link to a cisco page that confirms this. 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Csv Import Fails

Dec 6, 2010

I'm trying the csv file import and getting some errors.
010-12-07 14:23:47: File Format Validation Completed2010-12-07 14:23:47: Import Started

2010-12-07 14:23:47: Record number: 1, Host 01-02-03-04-05-06: Import Failed2010-12-07 14:23:47: null Import process failed for unexpected reason: Unknown error has accurred.2010-12-07 14:23:47: Import Completed With errors

-------- Summary --------Total Number of Records Processed:1Number of Records Failed:1Number of Records Imported:1---------- End ----------Please refresh the table to see the changes.
On some other tries I get null field or missing fields.
It actually creates the host, but on editing it I get the following message:
An unexpected error has occurred. To continue your work, reselect the option in the left navigation bar.If you continue to receive the unexpected error message, close your browser and log in to ACS again.If you still receive the unexpected error message, contact your system administrator or technical assistance.
MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256),VLAN:String(256):Required,attr-Expiration Date:Date(yyyy-Mmm-dd)01-02-03-04-05-06,AAATest,true,,Guest,2010-Dec-08

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Import Certificate To CSACS SE 4.2

Mar 2, 2009

I cannot import certificate from CA (Certificate Authority). When I attempt to install the certificate to CSACS SE 4.2, the following error occurs during installation: "Unsupported private key file format".

View 7 Replies View Related

Cisco AAA/Identity/Nac :: Import Server Certificates On ACS 5.2

Jan 10, 2012

When I tried to import the file, there are two lines there, One is Certificate file, the other is for "Private Key File".
My question for you is, is this the private key of CA? My understanding has always been that the private key stays in CA only, not going to any other devices.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Trying To Import VSAs Into ACS 1113 4.2

Mar 27, 2013

I have some VSAs to import into my 1113 box, but I am stuck before I can even start :-( I have an accountActions.csv file containing some VSAs (this is just a test csv file.) I also have an FTP server that is accessible from the 1113 system.
When at the GUI for the 1113 I do System Configuration --> RDBMS Synchronization I get the RDBSM Synchronization Setup screen all right. I have entered all the parameters associated with the FTP server, and selected manual synchronization. The problem is that there are no entries in the AAA Servers window at the Synchronization Partners section at the bottom, and therefore I can't get the 1113 to retrieve my accountActions.csv file, an action that (I guess) is triggered by clicking on the Synchronize Now button.
I do have an AAA Server defined in the 1113. It's a RADIUS server called Self, not assigned to any NDG.I guess I do not understand this at all. I just want to import some external VSAs. Do I need to have an external AAA server to accomplish this? If not, how do I get my local Self server to appear in the list of synchronization partners?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Import Internal Hosts?

May 17, 2011

Trying to use the "File Operations" option to import hosts into ACS.  I go through the wizard and click "Finish", the pop up goes blank and just hangs there.  No errors are generated. 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Unable To Properly Import IP Ranges

Apr 17, 2013

I have multiple AAA Clients that I need to add. The way I manage the clients, I often make changes of moving IPs from one group to another. I require that all clients use "IP Ranges". I try import the following IPs (;;; I need them all to be ranges, but what happens is after I import it, I then go to that AAA Client, it makes them all "IP Range(s) By Mask" and siplays it like this.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Import Template Gives File Format Validation Failed

Sep 21, 2011

Network Resources - Network Devices and AAA Clients- File Operations - Add - gives me File Format Validation Faliled. I am carefull to leave the header as it is. The header in the Import Template looks faulty, see attached. When exporting devices I also get the same header as attached. I also tried to change the header so its all in one column, but with same result.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Importing Users From ACS 4.x To ACS 5.x

Jun 24, 2012

Is it possible to export internal ACS users from an ACS 4.x Windows (On ESXi), solution to an ACS 5.x solution. All I want to be able to do is export usernames and passwords out of the 4.x solution and then import them into the 5.x solution. I thought maybe the CSUtil program be used ?

View 3 Replies View Related

AAA/Identity/Nac :: Authenticate LAN Users Via Cisco 2911

Feb 9, 2012

We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.0 - VPN Authentication And IP Pools For Users

Mar 19, 2012

How to configure the ACS5.0 radius for remote access VPN authentication.
And how could I implement the IP Pools for the VPN users.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: How To Show Logged In Users In ACS 5.1

Sep 5, 2011

After some time no using Cisco ACS5.1, I still don't know how I can see all logged in users. I can see logging and check why an log in goes wrong, but in ACS 3.2 I just clicked on Reports and Activity and I could choose to see logged in users, or failed attempts, etc.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authenticate Wireless Users With 802.1x

Jun 9, 2011

I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Create Dashboard For All Users?

Apr 28, 2013

I'm at the point of setting up admin access for engineers needing to have insight into the operations and status of our ACS 5.3 systems. any way to create a Dashboard that can be applied to all admin user accounts? (perhaps a custom role?)I've been able to customize the dashboard for my own account to show what is most relevant, but am unable to figure out how to apply this layout and setup to all other users.
Basically, I have a number of folks that need to see this data, but that I can't exactly count on to setup their own dashboards to show the important details.  If there were some way to build a tab/dashboard/portlet, etc (whatver it may be) and have it apply to all users, that would save me TONS of work so that I don't have to login to each person's account and set things up for them.For example, I want to have all users see a tab/dashboard that shows the applet "Live Authentications", but with the protocol already configured to display TACACS vs the default which is RADIUS.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.1.0.44 / WLC 5508 / Cannot Get Users To Authenticate

Sep 25, 2011

Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?

View 9 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Authenticate Only Specific AD Users

Jul 22, 2012

Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Admin Users Authentication Against AD

Apr 23, 2012

Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RSA Users Not Getting Level 15 Privilege?

Jun 13, 2011

I have cisco ACS 5.2 and external identity source as RSA secure ID.Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.
I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ? 

I checked this for local ACS users it is working and loca users getting directly privelege mode access...

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 With Mac Authentication To Users Wireless

Mar 14, 2013

I'm working with a cisco wlc and acs 5.3 . I have two profile or ssid's and one of them is working with web authentication and the accounts exists in the local database of cisco acs.
I'll would like to know how can i should configure mac authentication on the cisco acs 5.3?
My purpose is authenticate users first by mac, and second by the account of local users in the cisco acs.

View 10 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Radius Authentication For SSL VPN Users

Dec 22, 2012

Using Cisco ASA I want the  ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed.    When i try to test the user which i have created on the ACS-Server 4.2,  the test gets successful.  where i have made a mistake in my configuration ?

View 2 Replies View Related

AAA/Identity/Nac :: 3355 - Deploy NAC For 500 To 600 Users Across WAN?

Jan 24, 2013

We want to deploy NAC for 500-600 users across WAN. We are planning for L3-OOB-Real Gateway central deployment Solution.We are having two NAC Server (3355) two NAC manger (3355) at HQ and 6 NAC Server(3315) at branch. We deployed NAC under VRF.How we can deploy NAC over WAN without NAC Server, need step by step configuration under VRF.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5525 Ignoring Users Using AD Agent

May 13, 2013

its been a while since I configured a Cisco firewall (PIX 6.0, SDM) - I've now been thrown in the deep end with a pair of 5525-X's (Latest Software) and I need to achieve the belowWebsense integration (Got this working)AAA Authentication for various outbound traffic routes.I'm using ASDM as I'm more comfortable with the GUI than CLI (I'm the other way round with switches!!!), I have AD Agent configured but the ASA isn't doing anything based on User Name but I have a few other things to try. What I'm trying to achieve now is ignoring certain user names from being matched to IP Addresses as I believe that this may have something to do with it.We use Sophos AV and each PC requires a Service Account to run Sophos under. Each update that Sophos attempts is seen as a login and that is the user attached to the IP Address of the machine. Within Websense, it can be told to ignore certain users for purposes of filtering and reporting etc.. but I dont seem to be able to do this with the AD Agent.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Limit AAA Authentication For Certain Users By Source IP

Jul 1, 2012

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Adding And Updating Users Automatically

Mar 16, 2011

I have a Cisco ACS 5.2 and have set it up as a RADIUS server. I was wondering if there is a way to add and update users automatically? We have a large number of users > 1000 that need to be added into the system and I don't want to do this manually. These users also update their passwords on a regular basis so I would need a script that would update the users automatically without any user intervention.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Active Directory Users Cache?

Jun 9, 2013

I've successfully integrated ACS 5.3 with Active Directory for 802.1x implementation. Now i want to cache Active Directory users in ACS so that the user request from ACS does not go to AD every time.
After a certain time period the ACS database gets sync with AD.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Failure To Authenticate Windows Users

Apr 8, 2009

The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users  , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: Downloadable ACL For VPN Users - ACS 4.1 And 1841 Router

Mar 6, 2011

I have configured 1841 router as VPN server. All VPN users are getting authenticated using radius in ACS 4.1 I need to apply per-user downloadable ACL.
I have configured ACS for the Downlodabale ACL. Even ACS report acivity shows that ACL is applied to the authenticated user, but the traffic is not blocked or passed accordingly.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.4 Drop Users Into Enable Mode?

Apr 11, 2013

I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configure Users On ACS 4 To Authenticate Password With RSA 6.1

Apr 16, 2013

I have ACS 4 integrated with RSA 6.1, where users of ACS can authenticate their passwords with the rsa server.I am migrating users to ACS 5, and I want to integrate with rsa.
I am configuring rsa as “rsa secureID token servers”.But how should I configure the users on acs to authenticate the password with rsa?
Previously on acs 4, on the user page, in password field, I select authenticate with external DB, Also, any guide for the config on  rsa 6.1 side (with acs 5)

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Setup ACS 5.2 With An ASA V8.3.2 To Lock Users Into VPN Groups?

Jan 18, 2011

I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group.  I've tried various combinations but the group lock isn't working.  I've done steps 1 & 2 ...
1) Network Devices and AAA Clients -> Define VPN

2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
Policy Elements:
Q1) Policy Elements - Do I need an authorization profile for each group:

Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
RADIUS-IETF attribute 25?RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?Other?
Access Policies:
Q1) Do I need to enable and use group mapping?

Q2) Do I need a Network Access Authorization Policy for each group?

View 8 Replies View Related

Copyrights 2005-15, All rights reserved